- Sep 22, 2014
- 1,767
Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.
The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.
Our analysis of more than 44,000 malware samples uncovered Gamarue’s sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:
For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarue’s global prevalence.
Figure 1. Gamarue’s global prevalence from May to November 2017
While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.
Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017
In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.
Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections
The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.
Our analysis of more than 44,000 malware samples uncovered Gamarue’s sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:
- 1,214 domains and IP addresses of the botnet’s command and control servers
- 464 distinct botnets
- More than 80 associated malware families
- Petya and Cerber ransomware
- Kasidet malware (also known as Neutrino bot), which is used for DDoS attacks
- Lethic, a spam bot
- Info-stealing malware Ursnif, Carberp, and Fareit, among others
For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarue’s global prevalence.
Figure 1. Gamarue’s global prevalence from May to November 2017
While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.
Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017
In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.
Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections
