Cyberendarmerie performs autopsy on the destruction of a network of botnets

In Lille, at the International Cybersecurity Forum, Futura met the cybergendarme in charge of neutralizing one of the largest botnet networks in the world. He reveals the underside of this feat of arms.

ANSSI, Ministry of the Armed Forces, Ministry of the Interior! the French State and its specialized cyber defense and cybersecurity services have impressive stands at the International Cybersecurity Forum (FIC). On the side of the gendarmes, are the representatives of the C between fighting digital crimes (C3N) , and it is a house marshal who wishes to remain anonymous who welcomes Futura. The soldier participated in one of the greatest feats of arms of the French cyber-weaponry. He was even the leader of the cyber fighter’s team that neutralized one of the largest botnets on the planet last August.

For Futura, he took the time to dissect what really happened during this investigation and this neutralization which was not always well interpreted by the media.

Retadup is first of all the name of a malware that has contaminated more than 1.3 million computers on the planet to constitute a giant botnet. The vector of contamination was mainly based on transmission via USB keys. And, according to the military, ”  the malware was mainly used to perform crypto operations to generate Monero”.

To explain its dangerousness, the non-commissioned officer uses warlike language by describing the botnet as a  “real cyber weapon of mass destruction”  because of its firepower. Its size is much larger than that of the botnet which generates 70% of spam traffic and the Retadup malware could be used to carry out many other abuses much worse than generating cryptocurrency.

The director of the cell who neutralized Retadup explains the progress of the investigation.  © Futura

A unique combination

This botnet was discovered by Avast at the start of 2019. The security solution publisher has found that 200,000 of its customers have been infected with this virus . But it is above all the unprecedented rapprochement between Avast and the gendarmerie that makes this feat of arms a first. Two years earlier, during the Botconf, a cybersecurity conference where the colonel in charge of the C3N was present, he had announced that he wanted the antivirus publishers to collaborate with the gendarmerie if a network was detected. from botnet. A statement remembered by Avast.

Luckily, as he traveled from country to country regularly, the server of  Command & Control (C & C) who piloted the botnet was precisely hosted in France. The prosecution therefore seized the experts to conduct a search. This is how they were able to make a C&C clone to analyze it without disturbing the functioning of the Botnet. “  We were thus able to observe that the infected computers were connecting every 30 seconds to the C&C to receive new instructions. If there was no update, they would resume their previous task, ”  explains the gendarme.

“We have not disinfected”

“I did the criminological analysis and found 11 versions of the malware on the server. Only the last one was active, but our technical unit discovered that all of them had a design flaw , added the soldier . So we found a trick that the designers of Retadup had not thought of.

To reprogram the virus, a file containing the new instructions was sent by C&C. So we had the idea to make the malware, which therefore connected every 30 seconds, believe that a file was available and it went into update mode. The concern is that the file in question was empty “,details our contact. After extensive testing, the gendarmes replaced the malicious server before it was moved to another country with the authorization of the prosecutor and the scheme worked.