Although the FBI, Europol, Microsoft’s Digital Crime Unit and several others companies and organizations took action against the Gamarue botnet in November last year, there are still 12 million Windows PC infected with the malware. The information comes from Microsoft’s 23rd Security Intelligence Report.
Gamarue, also known as Andromeda, has been active since 2011 and is distributed through email attachments, social media, drive by downloads and removable media. The malware allows cybercriminals to take full control over the computer of victims. The infected computers, part of the Gamarue botnet, were used for all kinds of criminal activities, such as DDOS attacks, spam and click fraud. Infected computers were sometimes also further infected with ransomware, banking malware or other types of malware.
Criminals can purchase several modules from the Gamarue owners such as a key logger, rootkit, form data capturer and a ‘Teamviewer’ module.
To take down the botnet, more than 1,200 domains were seized. These domains were used by Gamarue for command and control purposes, the criminals behind the botnet could communicate with the botnet this way. After the seizure, the domains were pointed to Microsoft computers. This way the infected computers connected to Microsoft’s servers. This allowed the software giant to map the number of infected Windows computers.
Last December, Microsoft counted 17 million Gamarue infected computers of which the largest part was located in India, Indonesia and Turkey. In February this number was declined to 12 million, a decrease of 30%. Although the botnet is no longer functional, the infected computers are still at risk.
That is because the Gamarue malware tries to disable Windows Update, Windows Firewall and User Account Control (UAC). These Windows features can’t be enabled until the Gamarue malware has been removed from the computer.
Microsoft has stated to be working with various partners on cleaning up the infected systems.
Microsoft’s 23rd Security Intelligence Report(PDF) also mentions that the company scanned 400 billion email messages and more than 18 billion web pages each month, the last couple of months. The company also reports it detected 180-200 million phishing mails between November 2017 and February 2018.