Andromeda Botnet Gets an Update

The Andromeda botnet is still active in the wild and not yet dead. In fact, it’s about to undergo a major update real soon. This botnet was first reported back in 2011 but has recently risen to prominence due to the latest modifications in the threat.

Initially, this project to update Andromeda was about to die but the botnet’s author found a successor (even though he did not officially retire). Here is the author’s previous post, which basically says that if no buyer is found to take over the software, the service will be discontinued.

Online Post on Underground Forum

Just recently, however, I uncovered that there is an ongoing development in the Andromeda botnet. This latest announcement was posted just recently and basically says that Andromeda code is going to be updated heavily. They suspended the sales of plug-ins to focus more on developing the new version. Here is the rough translation of the post (it’s in Russian) about what this major update:

Currently suspended sales of all plug-ins.
The project is undergoing a global modernization. In the near future will happen a few important but not visible changes:
1. Will update the admin principal. Externally, will remain the same, but the principle of storage change that will reduce the load.
2. All plugins will undergo fundamental changes both in format and structure. Those who wrote plugins for andromeda, need to ping waahoo for further informations.
3. why such a change? First of all – it fixes bugs and flaws found, secondly because of the bugs found that have to completely change the approach to plug-ins that have this pain in the ass and should not not pop up in future.
4. I’m not going on vacation for a long time. On the work of Andromeda or its purchases – please contact the author of the project

Rootkit and socks5, which are popular plugins, are also now free of charge. Previously, the rootkit was sold $300 and $1000 for socks5 with BackConnect. BackConnect is a plug-in used to turn an infected machine into a SOCKS5 proxy — it allows the criminal to control the infected machine directly via infected machine IP and a random port.

As of this writing, there is no definite date on when the new version will come out. But once implemented, this latest version of Andromeda is expected to be more stable and powerful than the previous ones and may come with more plug-ins.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Andromeda Botnet Gets an Update

Read more: Andromeda Botnet Gets an Update

Story added 31. July 2013, content source with full text you can find at link above.