Avast and French police disinfect 850,000 PCs with Retadup malware after seizing command-and-control servers

Design error in Retadup's command-and-control server enabled security specialists to remotely remove the malware

The French National Gendarmerie, with help from anti-virus software maker Avast, has eliminated a botnet of 850,000 computers infected with the Retadup malware.

According to Avast, a design error in the communication protocol of Retadup's command and control (C&C) server enabled its security experts to remove the malware from infected machines and to dismantle the entire malware botnet.

The Retadup malware was first spotted in 2017, when it was just a simple Trojan that attempted to collect information about infected machines, sending the details to a remote server.

The most notable feature of the earlier versions of the malware was its worm-like propagation.

But in recent years, the operators of Retadup have added several new features to the malware, such as downloading and running a Monero crypto-currency miner.

A few months back, Avast researchers started to examine the Retadup malware in detail. They found that most of the malware's infrastructure, including its command-and-control servers, was located in France.

The researchers also discovered that a design flaw in Retadup's communication protocol could be exploited to remove the malware from infected machines worldwide.

Avast then approached French authorities to seek their help in seizing the malware's command-and-control servers. In July, the French police received a green light from public prosecutors, meaning they could legally proceed with the operation.

The police then seized the Retadup servers and replaced them with a disinfection server that instructed any infected host that communicated with the server to remove the malware.

According to Avast, more than 850,000 infected computers communicated with the Retadup servers from 2^nd July to 19^th August in order to receive new commands from the malware operators.

Avast found that most of the computers infected by Retadup were located in Latin America, including Peru, Venezuela, Ecuador, Bolivia, Mexico, Argentina, Colombia, and Cuba.

The primary reason behind the Retadup infection growing to such a large scale was that nearly 85 per cent of all infected systems never used antivirus software - not even free anti-virus, from companies such as Avast, Microsoft or Check Point Software's ZoneAlarm, enabling the malware to operate undetected and unchecked.

Part of the botnet infrastructure was also located in the US, which was taken over by the FBI on 8^th July.

According to Avast, Retadup's creators have now completely lost control over their botnet.