The brain behind some of the world's largest and oldest botnets has been imprisoned and its vast criminal infrastructure has been torn down, in part due to a careless safety error that allowed authorities to identify their person in Anonymous line.
from the Republic of Belarus reported on Monday that they arrested a participant in the Andromeda botnet network, which consisted of 464 separate botnets that spread more than 80 different malware families since 2011. On Tuesday, researchers from the security firm Recorded Future published a blog post said the participant was a 33-year-old Belarussian named Sergey Jarets.
For most people, Jarets was known only as "Ar3s", the nickname assigned to a well-respected elder in the criminal world. In online discussions, Ar3s demonstrated its expertise in malware development and software reverse engineering. He also acted as an accredited guarantor of offers that were eliminated online. It turned out that the ICQ number of the figure he used as one of his main contact methods was recorded in several whitehat discussion forums at Sergey Jaretz.
Investigators of the future recorded said they eventually tracked the figure to Jarets, who worked at OJSC "Televid" Tele-Radio Company, which broadcast through the Rechitsa area in the Gomel region of Belarus. This LinkedIn profile shows that Jarets was technical director of OJSC "Televid" since 2003 and, among other things, was responsible for the acquisition and maintenance of the company's computer network. The profile also showed that he obtained a degree in software engineering around 2012.
"Based on the analysis of the Ar3 forum activities, linguistic patterns and photographic materials, Recorded Future identified him earlier as Sergey Jarets or Jaretz, a 33-year-old specialist, an old man who resides in Rechitsa, Gomel region, Belarus, "wrote the authors of the blog on Tuesday. The video below shows the man arrested by the Belarusian authorities:
Malware as a service
Andromeda was primarily a service provided to other online criminals who facilitated the rapid spread of their malicious products. It allowed customers to create custom plug-ins for keylogging and rootkits for as little as $ 150, or could serve as a platform to install existing malware, including Petya and Cerber ransomwares; the Neutrino robot for DDoS attacks; malware that steals information known as Ursnif, Carberp and Fareit; and the Lethic spam bot. The bot network depended on more than 1,200 domains and IP addresses to control infected computers. In the past six months, Microsoft detected or blocked the Andromeda bot on more than one million computers every month on average.
In many cases, Andromeda's malware was able to disable firewalls, Windows updates, and user account control functions and prevent users from turning them back on until a computer is disinfected. Microsoft said that Windows 10 machines were immune to the manipulation of the operating system. Andromeda also recorded the keyboard language settings. In the event that the languages belonged to Belarus, Russia, Ukraine or Kazakhstan, the malware would suspend infection operations, most likely in an attempt to prevent the authorities of those countries from repressing.
The presumed use of JARTS for an easy-to-trace ICQ. number is a reminder of how easy it is to make operational safety mistakes. Andromeda was also by names like Gamarue and Wauchos. Microsoft and the antivirus vendor Eset have more information about the botnet and the disassembly here and here.