A collaboration between French antivirus company and authorities have stopped a two-year-old malware operation in its tracks.
Reports are beginning to surface of a collaboration between French antivirus company, Avast, and French National Gendarmerie police that recently stopped a wide scale malware operation in its tracks. Their target: the Retadup malware gang, and in the process of investigating, Avast and the Gendarmerie were able to wipe the walmare from hundreds of thousands of infected computers worldwide.
According to ZDNET, “as a result of gaining access to this infrastructure, Avast and French authorities used the criminal gang’s command and control (C&C) servers to instruct the Retadup malware to delete itself from infected computers, effectively disinfecting over 850,000 Windows systems without users having to do anything.”
Avast has published a report stating that the majority of the Retadup victims were located in Latin America, which became apparent when its researchers began their investigation in March this year. Avast’s researchers soon discovered a design flaw in the communications protocol of Retadup’s servers, which gave them the ability to give a command specifically directed at the malware to delete itself.
“Since the Retadup malware’s C&C servers were located in France, Avast approached French authorities, who agreed to help, and seized the crook’s servers,” writes Catalin Cimpanu. “Once Avast and French officials had the Retadup servers in their hands, they replaced the malicious ones with copies that instructed any infected host which connected to the server to delete itself.”
Over the following 45 days, 850,000 previously infected systems connected to Retadup’s C&C servers were now seeking new instructions from the malware’s operators.
According to Avast’s statistics, Peru was hit with the majority - 35% - of Retadup’s infections, while Venezuela, Bolivia, Ecuador, Mexico, Columbia, Argentina and Cuba accounted for 85% of Retadup’s activities.
Reports show that “French authorities also received help from the FBI after Avast found that some parts of the Retadup infrastructure was also hosted in the US. Those servers have also been taken down and Avast said the Retadup creators lost complete control over their botnet on July 8, after the FBI intervened.”