Botnets will sometimes lay low for a while and then with the flick of a switch and some new code they come back to life which is exactly what happened with the Andromeda botnet.
The bot resurfaced spreading malware via spam email messages containing malicious attachments and links to compromised sites hosting Blackhole Exploit Kit code, said researchers at Trend Micro.
A new version of the Andromeda botnet started spreading different malware March 11, the researchers said.
“The Andromeda botnet — first spotted in late 2011 — has recently resurfaced,” said Trend Micro’s, Romeo Dela Cruz on a blog.
“This threat arrives via a familiar means: Spammed messages with malicious attachments or links to compromised websites hosting. Andromeda itself is highly modular, and can incorporate various modules.”
The new version is capable of surreptitiously installing keyloggers on infected machines, Dela Cruz added.
Access to the botnet’s malware is selling on a number of cyber black markets for as little as $300, the researchers said.
The new version is significantly more dangerous than its predecessors, featuring several more infection, spying and anti-detection powers.
“One unusual aspect worth mentioning here is how Andromeda spreads via removable drives. Instead of simply dropping copies of itself, it drops component files instead,” Dela Cruz said.
“The ultimate payload of Andromeda depends entirely on the commands given from the command-and-control (C&C) server it connects to. This means that a wide variety of threats can be seen on affected systems.”
Trend Micro reported the top countries affected by the new Andromeda are Australia, Turkey, and Germany.
The botnet’s arrival follows widespread warnings that cyber criminals are developing new more dangerous techniques.