AAEH Downloader Infection Recovery Guide
Date: 09 April 2015
The content of this report is for information purposes only. Links to websites not under the control of the Government of Canada are provided solely for the convenience of users. The Government of Canada is not responsible for the accuracy, currency or reliability of the content. Each individual user is to make decisions of use based on respective needs and technical capabilities.
The purpose of this product is to provide an overview of AAEH, a polymorphic downloader, and to provide guidance on how to recover from computer systems infected by it.
Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012
AAEH is a polymorphic downloader, also known as Beebone,Vobfus, VBObfus, or Changeup, that is capable of infecting its victims with additional malware, including banking Trojans, rootkits, fake anti-virus and crypto ransomware.
Discovered in 2009, this polymorphic downloader has remained prevalent by employing several techniques. Once installed, it can spread very quickly across networks, removable drives (USB/CD/DVD), and through zip and rar archive files. Its polymorphic capability allows it to avoid detection by constantly changing with every infection and morphing every few hours. Up to six new variants have been detected daily, with 2.25 million samples known to date.
A system infected with AAEH may be employed to distribute malware, harvest users' credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected machines.
CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment.
- Ensure your anti-virus and gateway protections are up to date.
- Apply the principle of least privilege to the extent possible.
- If an infection is confirmed, CCIRC suggests considering reimaging the machine from a known clean image.
- If an infection has occurred and the malware has been confirmed to be removed, change all passwords for all accounts accessed from the previously infected computer. These could include:
- Banking and financial web sites.
- Social media.
- Account and email logins.
- Remote access logins.
Removing AAEH Infections
Below is a list of third party tools that can be used to assist in removing AAEH infections. Due to the nature of the malware, the victim machine may be infected with additional malware such as Zeus, Cryptolocker, ZeroAccess, and Cutwail. CCIRC recommends taking this into consideration when implementing an eradication strategy.
The following links to popular tools are for information purposes only and should not be interpreted as an endorsement of any particular tool or technology:
http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)
http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP)
http://www.mcafee.com/stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)
http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
http://www.sophos.com/VirusRemoval (Windows XP-SP2 and above)
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)
https://security.symantec.com/nbrt/npe.aspx (Windows XP and above)
International Police Operation Targets Polymorphic BeeBone Botnet
US-CERT Alert (TA15-098A) AAEH
Shadow Server AAEH/Beebone Botnet
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: