TECH

Avast Commandeers Cryptomining Botnet With 850,000 Systems

Avast announced on August 28 that it was able to remove the Retadup botnet, which used victims' computers to mine cryptocurrency for its operators, from an estimated 850,000 systems by exploiting a flaw with the command-and-control server. The security company worked with the Cybercrime Fighting Center of the French National Gendarmerie (one of the national police forces) as well as the FBI to "disinfect" the botnet.
Retadup was a malicious worm that could infect a computer, run a given command, and then work to infect other systems. Avast said that even though it was primarily used to mine cryptocurrency, it could've enabled other attacks on infected devices, so it had to avoid detection while it studied the botnet. The company was particularly concerned that Retadup would be used to distribute ransomware if its operators knew it was compromised.
 Exploiting a flaw in Retadup's command-and-control structure would enable Avast to remove malware without actually pushing their own updates to infected systems. (Kinda like issuing a self-destruct command rather than making a targeted attack.) That way it could help everyone whose systems were infected by Retadup instead of releasing a fix that would only be available to Windows users who also used its antivirus solution.
Handling the technical aspect of this "disinfection" process was only part of the battle, however, which is why law enforcement agencies in France and the U.S. were involved. Avast said it contacted the Cybercrime Fighting Center in March. Then it had to wait for the French police to receive permission to conduct the operation from a prosecutor, and in the meantime, it built new tools to monitor Retadup's activity surreptitiously.
 A prosecutor finally granted the Cybercrime Fighting Center permission to work with Avast on taking over Retadup's command-and-control server in July. Because part of the command-and-control infrastructure was also based in the U.S., the FBI got involved as well. Once all of the legal hurdles were cleared, Avast and its law enforcement partners were able to replace the Retadup command-and-control server with their own "sanitized" server.
Avast said that most of the 850,000 systems from which it is cleared Retadup to date were located in Latin America, running Windows 7 and not relying on any kind of antivirus solution. (With the clear implication, of course, being that they should've trusted Avast to keep 'em safe.) More information about how Retadup mostly escaped the security community's notice and how Avast was able to disrupt the massive botnet can be found in its blog post.

N. Mott