The Retadup malware, the target of the operation, has spread around the world but was particularly active in South America. It infects computers and uses their processing power to mine for cryptocurrency without the knowledge of the device's owner. This malware was particularly concerning because it is "wormable," meaning it can propagate from one computer to another.
The police were able to hijack the malware after the Avast security firm discovered a flaw in its command and control (C&C) server. Although Avast is headquartered in the Czech Republic, it contacted the French police as most of the servers hosting the malware were located in France.
Avast described the process of identifying the flaw, passing this information to the police, and instructing the police on how to repurpose the botnet to turn the C&C server into a disinfection server in a blog post. By taking over the C&C server and using it to distribute a malware removal script, the police could remove the malware from users' computers automatically, with no user action required.
"The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct," Avast representative Jan Vojtěšek said in the post. "At the time of publishing this article, the collaboration has neutralized over 850,000 unique infections of Retadup."
Even with Retadup cleaned up, malware which deploys crypto-mining scripts continues to be a security concern. Browsers like Firefox have plans to launch tools to protect users from this threat.