As I blogged earlier today, Dutch law enforcement took action to remove 143 servers from the internet which were acting as command & control servers for the Bredolab botnet.
In an update to that news, they have also announced the arrest of a 27 year old Armenian citizen suspected of being the brains behind the operation.
So is Bredolab, dead, is it dying or is it simply dormant?
The glib answer is that we don’t know, but let’s consider the current situation. Many if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decaptiation been? The graph below shows the marked decrease in the number of Bredolab samples collected from a pool of Bredolab C&C servers, this shows clearly the effectiveness of the law enforcement action.
Bredolab binaries downloaded over time
What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.
TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let’s hope that is not the case with Bredolab.