Bredolab is still pushing malware to PCs despite a massive botnet-takedown operation announced this week. Here's why stopping Bredolab is harder than some may think.
Authorities in the Netherlands
made a media splash earlier
this week when they announced the arrest of a man accused
of running a massive botnet of Bredolab-infected PCs. But the
impact of the takedown is not destined to last.
Symantec told eWEEK Oct. 27 the company was still seeing e-mails
containing the malware being spammed out. Likewise, researchers at
Fortinet have reported seeing a new variant. All this despite the
efforts by the Dutch National Crime Squad's High Tech Crime Team and a
host of partners.
"Bredolab is a breed of pay-per-install malware - attackers can buy
Bredolab infected bots in bulk, maybe 1,000 at a time, and install
their chosen malware," said Paul Wood, MessageLabs Intelligence senior
analyst at Symantec Hosted Services. "Bredolab essentially
just takes control of PCs, subsequently that resource may be used by
some other attacker for more sinister purposes."
The gang behind Bredolab is making money from
selling control of the PCs, Wood said.
"Traditionally, attackers design their attack, something very
specific, for example to steal personal information, or to try and
create bots for a specific botnet," he explained. "For attackers using
this approach, the success rate is somewhat out of their control. But
relatively recently, we have seen the emergence of malware threats like
Bredolab - this malware [is] flexible but at its heart is designed
simply to seize control of the victim's PC. Later, this control can be
used to download and install any malware - keyloggers, botnet,
phishing, Fake AV [antivirus], and so on."
According to Derek Manky, project manager for cyber-security and
threat research at Fortinet, said a new variant is in operation and
contacting a command and control server in Russia.
"We are monitoring this variant, and the C&C server is actively
sending downloads to the infected clients," he said. "Most of the
downloads we are observing are new copies of the Grum/Tedroo spam bot,
which is used to blast out spam mail. This variant was an update from a
previous variant that we had, which contacted a C&C that has been
taken offline. This may have been a reaction to update by the operators
after the news in the Netherlands."
Pay-per-install downloaders like
Bredolab allow attackers to buy control of machines knowing they can
install their chosen malware on them with a 100 percent infection rate,
Wood said.
"It is likely that the authors of the threat are associated with
affiliate schemes that are attempting to generate money through the
distribution of malware," he said. "The threat may also be used to help
construct a bot network that can be sold or hired for monetary gain."
Still, disrupting 143 servers like authorities did this week is significant, Manky said.
"It's a big development since a large botnet has been dismantled,
just like the Pushdo takedown around August and Zeus in
September/October," he said. "With that said, it is not the end of
Bredolab."
Email
Print
