The mastermind behind some of the world’s biggest and longest-running botnets has been jailed and his vast criminal infrastructure taken down, in part because of a careless operational security blunder that allowed authorities to identify his anonymous online persona.
Officials from the Republic of Belarus reported Monday they detained a participant in the sprawling Andromeda botnet network, which was made up of 464 separate botnets that spread more than 80 distinct malware families since 2011. On Tuesday, researchers with security firm Recorded Future published a blog post that said the participant was a 33-year-old Belarusian named Sergey Jarets.
To most people, Jarets was known only as “Ar3s,” the moniker assigned to a highly respected elder in the criminal underground. In online discussions, Ar3s demonstrated expertise in malware development and the reverse-engineering of software. He also acted as a reputable guarantor of deals that were hashed out online. As it turned out, the ICQ number of the figure he used as one of his primary contact methods was registered in several whitehat discussion forums to one Sergey Jaretz.
Recorded Future researchers said they eventually tracked the figure down to Jarets, who worked at OJSC “Televid” Tele-Radio Company, which broadcast throughout the Rechitsa area in the Gomel Region of Belarus. This LinkedIn profile shows Jarets was a technical director of OJSC “Televid” since 2003 and, among other things, was responsible for procurement and maintenance of the company’s computer network. The profile also showed he obtained a degree in software engineering around 2012.
“Based on the analysis of Ar3s’s forum activities, linguistic patterns, and photo materials, Recorded Future earlier identified him as Sergey Jarets or Jaretz, a 33-year-old male residing in Rechitsa, Gomel Region, Belarus,” the authors of Tuesday’s blog post wrote. The video below shows the man Belarusian authorities detained:
Malware as a service
Andromeda was primarily a service provided to other online criminals that made it easy for them to quickly spread their malicious wares. It allowed customers to build custom plug-ins for keylogging and rootkits for as little as $150, or it could serve as a platform for installing existing malware, including the Petya and Cerber ransomwares; the Neutrino bot for DDoS attacks; information-stealing malware known as Ursnif, Carberp, and Fareit; and the Lethic spam bot. The botnet network relied on more than 1,200 domains and IP addresses to control infected computers. Over the past six months, Microsoft detected or blocked the Andromeda bot on more than one million computers every month on average.
In many cases, the Andromeda malware was able to turn off firewalls, Windows updates, and User Account Control functions and prevent users from turning them back on until a computer was disinfected. Microsoft said Windows 10 machines were immune from the OS-tampering. Andromeda also recorded the keyboard-language settings. In the event the languages corresponded to Belarus, Russia, Ukraine, or Kazakhstan, the malware would suspend infection operations, most likely in an attempt to prevent authorities in those countries from cracking down.
Jarets’ alleged use of an easily traced ICQ number is a reminder of just how easy it is to make operational security mistakes. Andromeda also went by names including Gamarue and Wauchos. Microsoft and antivirus provider Eset have more information about the botnet and the takedown here and here.