Europol kills off shape-shifting ‘Mystique’ malware

Shapeshifting malware that changes its identity up to 19 times a day to avoid detection has been deactivated by Europe’s Cybercrime Centre and the FBI.

At its height in September 2014 the malware, called Beebone, was controlling 100,000 computers a day.

Criminals used it to help steal passwords and download other programs to the infected computers.

Around 12,000 victims are being asked to use new online clean-up tools to remove it.

Once on a victim’s computer, Beebone operates like a downloader application that can be controlled by the suspected criminal gangs behind the program.

It was used to force victims’ PCs to fetch other malware from the internet including password stealers, ransomware, rootkits, and programs designed to take down legitimate websites.

Computer security firm Intel Security, which helped law enforcement agencies to stop the malware, said it had seen Beebone change its identity up to 19 times per day to avoid more traditional « signature detection » anti-virus methods.

Intel Security’s chief technology officer Raj Samani told the BBC: « Beebone is highly sophisticated. It regularly changes its unique identifier, downloading a new version of itself, and can detect when it is being isolated, studied, or attacked.

« It can successfully block attempts to kill it. »

Operation Beebone

Operation Beebone was carried out by the Joint Cybercrime Action Taskforce set up by the European Union to tackle cross-border internet crime. The team finally managed to tackle the malware by stopping it from connecting to servers on the net used to control and send it instructions.

Nearly 100 .com, .net, and .org domains have been « sinkholed » – the process by which traffic meant for specific IP addresses is redirected from suspected criminal-controlled sites to the investigating authorities. This allows detectives to « see » how the application behaves and to intercept requests for further instructions by the malicious software.

The FBI assisted in redirecting traffic from most of the sites being used by the gangs because they were operated from the United States and are under US jurisdiction.

The operation also involved private security firms Intel Security, Kaspersky Labs and Shadowserver. The taskforce now believes it has isolated the morphing malware so criminals can no longer make use of it.

Sustained threat

Head of operations at the European Cybercrime Centre, Paul Gillen told the BBC the agency would now look at whether those behind the attacks could be identified and brought to justice. He admitted the solution the taskforce had found was not a permanent one: « We can’t sinkhole these domains forever. We need those infected to clean up their computers as soon as possible. »

Several security vendors have created a free tool to remove the Beebone malware including F-Secure, TrendMicro, Symantec and Intel Security.

But victims need to first realise they have the malware on their systems before they can download the removal tool.

Raj Samani said those who have the malware « will be notified by their internet service provider ».

ISPs in each affected country will be handed a list of suspected victims to contact by the taskforce.

Read more:

Blog anglais, La cyber-sécurité, Malware, Mises à jour et nouvelles de l'industrie, Nouvelles