Andromeda botnet taken down after it took over more than millions of computers without owners knowledge

The army of computers was used to pass on new viruses, experts said

Andrew Griffin
Tuesday 05 December 2017 11:56 EST
Comments
A programmer works on decrypting source code in Taipei, Taiwan. The attack hit systems in countries all over the world and there are fears hackers could strike again
A programmer works on decrypting source code in Taipei, Taiwan. The attack hit systems in countries all over the world and there are fears hackers could strike again (EPA)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A huge "botnet" that was made up of millions of computers has finally been taken offline, according to authorities.

The malware system – known as "Andromeda" or "Gamarue" – was a whole host of computers that had been infected with a dangerous virus. Once one of the computers was hit with the malware, it became part of the huge botnet, which could then be used to spread further viruses.

Owners wouldn't know their computers had been recruited as part of the network. But hackers could control them remotely, using them to steal, destroy websites or spread malicious code.

The takedown of the Andromeda system is notable not only because it took over so many computers but also because it was used to spread further danger, with the computers' assembled power being harnassed to spread viruses across the internet.

The system was taken down through a joint operation involving Germany, the United States and Belarus. Authorities also recruited Microsoft to help locate destroy the system, which was comprised of more than two million computers.

"Andromeda was one of the oldest malwares on the market," added the spokesman for Europol, the EU's law enforcement agency.

Authorities in Belarus said they had arrested a man on suspicion of selling malicious software and also providing technical support services. It did not identify the suspect.

Officers had seized equipment from his offices in Gomel, the second city in Berlaus, and he was cooperating with the investigation, the country's Investigative Committee said.

Op Gen Oorth said the individual is suspected of being "a ringleader" of a criminal network surrounding Andromeda.

German authorities, working with Microsoft, had taken control of the bulk of the network, so that information sent from infected computers was rerouted to safe police servers instead, a process known as "sinkholing."

Information was sent to the sinkhole from more than 2 million unique internet addresses in the first 48 hours after the operation began on Nov. 29, Europol said.

Owners of infected computers are unlikely to even know or take action. More than 55 percent of computers found to be infected in a previous operation a year ago are still infected, Europol said.

Information about the operation has been gradually released by Europol, the U.S. Federal Bureau of Investigation and Belarus's Investigative Committee over the past two days.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in