French Police Destroy International Botnet

Written by

Measles might be on the rise, but thanks to a tip and some digital legwork by French police, the world has one fewer digital viruses to worry about.

Hidden in emails that promised erotic photographs or get-rich-quick schemes, the Retadup virus managed to infect at least 850,000 computers around the world, creating an international botnet that was mainly controled from France. 

Hackers were able to remotely control computers on which an infected email was opened to mine cryptocurrency and extort money through ransomware.  

Infected USB drives were also used to spread the virus, which struck Windows-operating computers in over 100 countries, hitting hardest in Central and South America. 

The criminals who set the botnet up in 2016, and who remain at large, are thought to have made millions of euros from their fraudulent activities. 

Retadup malware was first sighted in 2017 doing the rounds as a Trojan attempting to collect and send information from infected computers to a remote server. The operators of the virus later pimped up the malware, imbuing it with the ability to download and run a Monero cryptocurrency miner. 

Following a tip off from antivirus software manufacturer Avast, France's digital crime-fighting center C3N was able to locate and dismantle a pirate server near Paris, which was used to send out the virus. 

Avast researchers discovered a design flaw in Retadup's communication protocol that could be exploited to remove the virus. Using this information, the C3N team built a replica server that instructs any host infected with Retadup to remove the malware. 

C3N was assisted in its efforts by America’s FBI, which took over a US-based part of the botnet infrastructure, redirecting traffic to the replica server. 

So far, 850,000 infected computers have communicated with the replica server, but the total number of machines infected with Retadup may yet increase. The replica server will continue to run in an effort to disinfect virus-carrying computers that may not have logged on in the past few weeks. 

Speaking on France Inter radio, C3N chief Jean-Dominique Nollet underlined the significance of his team's efforts. 

He said: "People may not realize it, but 850,000 infected computers means massive firepower, enough to bring down all the [civilian] websites on the planet."

What’s hot on Infosecurity Magazine?