sign in sign up
<<
Home , Gameover ZeuS, Kelihos botnet, Nitol botnet, Operation Tovar, Rustock botnet, Waledac botnet

Disruptions and More Information

Malware Disruption Short description (you can Links for more information date also reference the Windows Defender Security Intelligence threat encyclopedia for more details Gamarue November • Also known as Andromeda blog: Microsoft teams up with law 2017 • Sold as a crime kit on the enforcement and other partners to disrupt dark web with additional Gamarue (Andromeda) modules that could be added newsroom: Andromeda • Steals user names and dismantled in international operation passwords, disables security protections, and blocks Windows Update • Spreads through USB flash Geekwire: Microsoft releases new details on drives, instant messaging Gamarue malware botnet ad its 'sprawling programs, email, and infrastructure' social networks • Installs other malware types such as backdoor, downloaders, remote access, worm, spam, , and – a Gamarue infected system could be infected with dozens of additional different types malware Avalanche November • Used as a delivery 2017 platform to launch and manage mass global Europol newsroom: 'Avalanche' network malware attacks and dismantled in international cyber operation money mule recruiting campaigns Europol infographic: Operation Avalanche • Steals user names and passwords, launches denial of service (DoS) attacks, distributes other malware families, and targeted over 40 major financial institutions • Installs other malware types such as backdoor, downloaders, remote access, worm, spam, and click fraud Barium November • Targets high value Microsoft blog: Detecting threat actors in 2017 organizations holding recent German industrial attacks with sensitive data by Windows Defender ATP gathering extensive information about their employees through Courthouse News: Microsoft asks judge to publicly available take down Barium information and social media, using that information to fashion phishing attacks Strontium August • Also known as Microsoft blog: Our commitment to our 2016 or APT 28 customers' security • Leveraged Microsoft-like domains for spear ArsTechnica: Microsoft shuts down phishing phishing attacks, enabling sites, accuses Russia of new election meddling the criminals to install a remote access kit that could be used to exfiltrate Bloomberg: Microsoft embraces role as anti- sensitive data. hacking enforcer

Wired: How Microsoft tackles Russian hackers - and why it's never enough

Dorkbot December • Steals user names and ZDNet: Microsoft, law enforcement disrupt 2015 passwords, disables sprawling Dorkbot botnet security protection, blocks websites related to Threatpost: Microsoft, law enforcement security updates, and collaborate in Dorkbot takedown launches a limited denial of service (DoS) attack • Spreads through USB flash drives, instant messaging programs, and social networks • Installs other malware types such as backdoor, downloaders, remote access, worm, spam, and click fraud Simda April 2015 • The Simda.AT variant first Interpol news: Interpol ccordinates global appeared in 2012 and operation to take down Simda botnet caused significant damage to users through the manipulation of internet traffic and spread of other malware. • Simda’s function has ranged from a simple password stealer to a complex banking trojan Ramnit February • Online banking fraud Microsoft blog: Breaking up a botnet - How 2015 malware that impacted Ramnit was foiled 3.2M unique IPs across 195 countries CRN: Symantec, Microsoft support global • First detected as a worm, Ramnit botnet takedown spread very quickly due to aggressive self- propagation using phishing emails and social networking sites • Evolution to a Trojan, then to an extensive botnet, ramped up by the leaked source code of the Trojan back in 2011 • Web-injected spy module, or hook-spy module, would monitor web browsing history, inject additional fields into banking websites, and collect bank credentials Caphaw July 2014 • The Caphaw malware Microsoft blog: Microsoft partners with family targeted banks and financial services industry on fight against their customers in Europe • It could give a malicious access to and control of your PC • Caphaw targeted several high-profile European banks to steal online banking details • It used social engineering tactics to infect devices with information-stealing components through Facebook, YouTube, Skype, removable drives, and drive-by downloads Bladabindi June 2014 • A pervasive family of Microsoft blog: Microsoft takes on global & Jenxcus malware that put millions cybercrime epidemic in tenth malware (B106) of customers at risk disruption • The social media-savvy cybercriminals promoted eWeek: Microsoft takes down Bladabindi and their wares across the Jenxcus Internet, offering step-by- step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes • Spread through infected removable drives, such as USB flash drives, can also be downloaded by other malware Game June 2014 • The primary purpose of Microsoft blog: Microsoft helps FBI in Over Zeus the malware was to hijack GameOver Zeus botnet cleanup victims online banking sessions for monetary FBI news: GameOver Zeus botnet disrupted: purposes and was also Collaborative effort among international used in conjunction with partners ransomware KrebsonSecurity: '' targets 'Gameover' ZeuS botnet, CryptoLocker scourge

ZeroAccess December • The primary purpose of Microsoft blog: Microsoft, the FBI, Europol and aka Sirefef 2013 this is to industry partners disrupt the notorious generate money through ZeroAccess botnet pay-per-click fraud • A multi-component family Microsoft blog: ZeroAccess criminials wave of malware that white flag: The impact of partnerships on moderates your internet cybercrime experience by changing search results, generating arsTechnica: pay-per-click advertising https://arstechnica.com/inficrosoft disrupts revenue for its controllers botnet that generated $2.7M per monthfor • It directed users to operatorsormation- potentially dangerous technology/2013/12/microsoft-disrupts- websites that could install botnet-that-generated-2-7m-per-month-for- malware, steal personal operators/ information, or fraudulently charge Reuters: Microsoft leads disruption of largest businesses for online infected global PC network advertisement clicks

Citadel June 2013 • Citadel has the ability to Microsoft blog: Microsoft works with financial log an infected machines services industry leaders, law enforcement key strokes stealing and others to disrupt massive financial password and banking cybercrime ring information • Citadel could also perform Department of Justice news: Russian citizen Man-in-the-middle attacks who helped develop the "Citadel" malware prompting infected toolkit is sentenced machines users to give up personal banking Dark Reading: Microsoft, FBI trumpet Citadel information when the botnet takedowns victim visited an otherwise legitimate website through popups and web traffic monitoring Bamital February • Bamital intercepts web Microsoft blog: Microsoft and Symantec take 2013 traffic on an infected down Bamital botnet that hijacks online machine and redirects searches clicks to advertising sites which paid the criminals Microsoft blog: Bamital botnet takedown is for the traffic. successful; cleanup underway • It is often installed via drive-by downloads. KrebsonSecurity: Microsoft, Symantec hijack • It redirects users to sites 'Bamital' botnet they were not intending to visit, taking control away from the user, leaving them vulnerable to other targeted attacks such as identity theft and additional malware infections Nitol September • Trojan virus usually Microsoft blog: Microsoft disrupts the 2012 installed with other emerging being spread through corrupted software an unsecure supply chain downloaded from peer to peer file shares Microsoft blog: Microsoft reaches settlement • Nitol can use an infected with defendants in Nitol case computer to perform distributed denial of KrebsonSecurity: Microsoft disrupts 'Nitol' service attacks (DDoS) botnet in piracy sweep without the affected machines owner(s) knowledge. Zeus aka March • Keylogging botnet, Microsoft blog: Microsoft and financial Zbot 2012 recording every keystroke, services industry leaders target cybercriminal gaining access to operations from Zeus botnets usernames and passwords to steal victims’ identities, Microsoft blog: Microsoft names defendants in withdraw money from Zeus botnets case; provides new evidence to bank accounts, and make FBI online purchases. • Primarily distributed FBI news: Cyber criminal pleads guilty to through spam and drive- developing and distributing notorious SpyEye by downloads malware

Wired: Alleged 'sppyEye' botmaster ends up in America, handcuffs

Kelihos September • Communicates with Microsoft blog: Microsoft neutralizes Kelihos 2011 remote servers to botnet, names defendant in case exchange information that is used to execute various Microsoft blog: Microsoft reaches settlement tasks, including sending with Piatti, dotFREE Group in Kelihos case spam email, capturing sensitive information or Microsoft blog: Microsoft names new downloading and defendant in Kelihos case executing arbitrary files. Microsoft blog: Update on and new related malware

CRN: Microsoft says ex-antivirus maker ran botnet

Rustock March • Responsible for sending Microsoft blog: Taking down botnets: 2011 upwards of 30 billion Microsoft and the spam emails a day • DCU researchers observed Microsoft blog: Microsoft releases new threat a single Rustock-infected data on Rustock computer send 7,500 spam emails in just 45 Microsoft blog: Microsoft offers reward for minutes, for a rate of information on Rustock 240,000 spam mails per day. Microsoft blog: Rustock civil case closed: Microsoft refers criminal evidence to FBI

artsTechnica: How Operation b107 decapitated the Rustock botnet

Waledac February • Collects e-mail addresses 2010 found on the computer on Microsoft blog: Cracking down on botnets which it is installed and distributes spam e-mail Microsoft blog: R.I.P. Waledac: Undoing the messages. damage of a botnet • Ability to download and execute arbitrary files, The Guardian: Microsoft goes to court to take harvest email addresses down the from the local machine, perform denial of service attacks, proxy network traffic and sniff passwords. November • The worm spread through Microsoft blog: Microsoft collaborates with 2008 USBs and the internet. industry to disrupt Conflicker worm Once infected, a computer would then infect others within its common network, assisting the criminals in sending further spam/malware.