Go to listing page

Traces of Andromeda botnet still exist in PCs despite it being shut down last year

Traces of Andromeda botnet still exist in PCs despite it being shut down last year
  • One in ten firms across the globe still have machines that contain traces of the botnet.
  • Asia and the Middle East are likely the most impacted.

Traces of the Andromeda botnet can still be found in many PCs despite the fact that it was dismantled by law enforcement authorities last year. The botnet is associated with 80 different malware families and had grown so large that it infected a million new machines in a month. Andromeda was distributed via social media, instant messaging, spam emails, exploit kits and more.

In December 2017, the FBI and the Europol’s European Cybercrime Centre (EC3) dismantled the widely distributed Andromeda botnet (also known as Gamarue). However, even after the botnet was successfully shut down, many PCs are still found to be infected with the botnet.

"We're continuing to see hits on the Andromeda botnet. What that means is the governments have actually brought down the C&Cs which manage the infrastructure, but on the endpoints, that stuff still hasn't actually been cleaned up," Anthony Giandomenic, senior security strategist at Fortinet told ZDNet.

One in ten firms have infected machines

The researchers at Fortinet confirm that one in ten firms across the globe still has machines that contain the botnet, with Asia and the Middle East likely to be the most impacted. The botnet’s prevalence is eight times more in these regions than it is in Europe.

These botnets can hijack computers, forming a network, which can then be used by attackers to conduct various malicious activities like launching DDoS attacks, delivering malware and more. However, it appears that the Andromeda infected computers can no more retrieve or carry out commands for the botnet.

Organizations need to be more proactive with their security procedures to combat such threats.

"What these organizations need to do is to define what their incident response processes are. The first simple step is having somebody monitor your firewalls, your intrusion prevention system, look for different types of alerts that are triggering," said Giandomenico, ZDNet reported. "That information is going to tell you what machines are triggering on those things, then you can do to those machines and start your cleanup process.”

Cyware Publisher