The cooperation of several companies has led to the destruction of the botnet

Security researchers from ESET in cooperation with Microsoft and download authorities - incl. with FBI, Interpol, Europol - they have eliminated the dangerous Wauchos botnet, also known as Gamarue / Andromeda, which since 2011 has infected computers of uninformed users around the world. The Wauchos botnet, subjected to multiple modifications, attacked over one million machines a month. Malware samples were distributed via social media, messengers, storage media, spam, as well as exploit kits.

The operation of neutralizing the Wauchos botnet was carried out at the turn of November and December this year. A dangerous network has been neutralized thanks to the joint work of ESET experts, Microsoft and the cooperation of international law enforcement agencies. ESET observed the modified botnet over the years, thanks to which it could identify controlled servers and installed software. Using the ESET Threat Intelligence service, the researchers built a special bot that could communicate with a remote server controlled by cybercriminals. Thanks to this program, experts from ESET and Microsoft have been able to monitor the botnet for the last 1.5 years, identifying its servers, and monitoring what software has been installed on victims' computers.

Map showing the period of the highest activity of the Wauchos botnet.

The Wauchos botnet is a computer network controlled by cybercriminals, which has been a global problem since at least September 2011. This botnet, also known as Gamarue / Andromeda, has been classified by experts from ESET as Win32 / TrojanDownloader.Wauchos.

The botnet, in recent years, was distributed among cybercriminals in underground forums, which resulted in multiple modifications. His new versions have become more and more advanced over time. They not only tried to bypass the security mechanisms of antivirus programs, but were also equipped with new functionalities, such as: spreading using USB portable memory, hiding in the system registry (in encrypted form), checking the keyboard language (if the malware detects Russian, Ukrainian, Belarusian or Kazakh, discontinuation of further infection).


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.