What just happened? By working with French and US law authorities, antivirus firm Avast has taken down a cryptocurrency mining botnet that had infected almost one million computers and removed the malware from victims' machines.
Retadup is a malicious worm—self-replicating malware—that surreptitiously uses a computer’s processor to mine cryptocurrency, which generates money for the operators. It’s also able to run other types of malware, such as ransomware, and is commonly spread via attachments, file-sharing networks and links to malicious websites.
Retadup had infected at least 850,000 computers. While most of these were in Latin America, it had also spread to the US and Russia.
After analyzing the malware back in March, the Avast Threat Intelligence team identified a design flaw in the command and control (C&C) server communications protocol of Retadup that would allow it to be removed from victims’ computers.
With most of Retadup’s C&C infrastructure located in France, Avast worked with French authorities, who took control of the servers. The FBI was also brought in as some of the C&C infrastructure was in the US.
After securing the servers, Avast researchers built a replica that instructed any connected instances of Retadup to delete itself. Avast says that from July 2 to August 19, over 850,000 systems connected to the servers, thereby neutralizing the infection. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw,” wrote the team.
No arrests have been made in connection with Retadup. Avast says its creator bragged about the malware following reports of its existence. Security researchers from Under the Breach believe the person responsible to be a 26-year-old Palestinian, according to ZDNet.
Its my baby <3 https://t.co/E2dy6Dmpna— black joker (@radblackjoker) 27 April 2018
in his profile, the hacker brags about his operations: pic.twitter.com/xsry9vz0Ww— Under the Breach (@underthebreach) 28 August 2019