Bredolab Down but Far from Out After Botnet Takedown

Bredolab is still pushing malware to PCs despite a massive botnet-takedown operation announced this week. Here's why stopping Bredolab is harder than some may think.

Authorities in the Netherlands made a media splash earlier this week when they announced the arrest of a man accused of running a massive botnet of Bredolab-infected PCs. But the impact of the takedown is not destined to last.

Symantec told eWEEK Oct. 27 the company was still seeing e-mails containing the malware being spammed out. Likewise, researchers at Fortinet have reported seeing a new variant. All this despite the efforts by the Dutch National Crime Squad's High Tech Crime Team and a host of partners.

"Bredolab is a breed of pay-per-install malware - attackers can buy Bredolab infected bots in bulk, maybe 1,000 at a time, and install their chosen malware," said Paul Wood, MessageLabs Intelligence senior analyst at Symantec Hosted Services. "Bredolab essentially just takes control of PCs, subsequently that resource may be used by some other attacker for more sinister purposes."

The gang behind Bredolab is making money from selling control of the PCs, Wood said.

"Traditionally, attackers design their attack, something very specific, for example to steal personal information, or to try and create bots for a specific botnet," he explained. "For attackers using this approach, the success rate is somewhat out of their control. But relatively recently, we have seen the emergence of malware threats like Bredolab - this malware [is] flexible but at its heart is designed simply to seize control of the victim's PC. Later, this control can be used to download and install any malware - keyloggers, botnet, phishing, Fake AV [antivirus], and so on."

According to Derek Manky, project manager for cyber-security and threat research at Fortinet, said a new variant is in operation and contacting a command and control server in Russia.

"We are monitoring this variant, and the C&C server is actively sending downloads to the infected clients," he said. "Most of the downloads we are observing are new copies of the Grum/Tedroo spam bot, which is used to blast out spam mail. This variant was an update from a previous variant that we had, which contacted a C&C that has been taken offline. This may have been a reaction to update by the operators after the news in the Netherlands."

Pay-per-install downloaders like Bredolab allow attackers to buy control of machines knowing they can install their chosen malware on them with a 100 percent infection rate, Wood said.

"It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware," he said. "The threat may also be used to help construct a bot network that can be sold or hired for monetary gain."

Still, disrupting 143 servers like authorities did this week is significant, Manky said.

"It's a big development since a large botnet has been dismantled, just like the Pushdo takedown around August and Zeus in September/October," he said. "With that said, it is not the end of Bredolab."