French police managed to counteract a huge cryptocurrency mining botnet that had infected nearly 900,000 computers. The infamous malware known as Retadup takes control of a computer and begins mining cryptocurrency by means of draining the power from the CPU. The malware was only used to make money, however, it could have easily been used to operate other malicious code such as ransomware or spyware. Retadup also has similar attributes to that of a worm: it has the ability to spread to other computers, infecting one after the next.
Since its initial arrival, the malware has reached areas all over the planet, including Russia, South America, and the United States. Cybersecurity company, Avast, said that the prevention of the malware was a success. The antivirus firm became acquainted with the situation after it came across a design fault in the malware’s command and control server. Researchers at Avast said that if the fault was effectively exploited, it would have enabled them to “remove the malware from its victims’ computers” without deploying code to the affected PCs. This would have razed the mining project, although the researchers didn’t have the appropriate legal ground to go through with the operation, as the majority of the malware’s infrastructure was found in France.
Avast got in touch with the French police, and after getting the green light from prosecutors in July, the police proceeded with the operation to seize control of the server and remove the malware from the targeted PCs. According to the police, the botnet was among the biggest networks of hijacked computers worldwide.
The take down worked by discreetly acquiring a piece of the malware’s command and control server with assistance from the web host. The team said they had to go about the operation carefully so that those running the malware didn’t become aware of their plans and orchestrate a retaliation.
“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” said the Avast team. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
The team constructed their own copy of the malicious command and control server which disinfected the targeted computers rather than infecting them.
The police replaced the malicious server with “a prepared disinfection server that made connected instances of Retadup self-destruct,” Avast said in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”
The firm’s success resulted in the removal of the malicious code on more than 850,000 computers.