As I blogged earlier today, Dutch law enforcement took action to remove 143 servers from the internet which were acting as command & control servers for the Bredolab botnet.
In an update to that news, they have also announced the arrest of a 27 year old Armenian citizen suspected of being the brains behind the operation.
So is Bredolab, dead, is it dying or is it simply dormant?
The glib answer is that we don’t know, but let’s consider the current situation. Many if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decaptiation been? The graph below shows the marked decrease in the number of Bredolab samples collected from a pool of Bredolab C&C servers, this shows clearly the effectiveness of the law enforcement action.
Bredolab binaries downloaded over time
What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.
TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let’s hope that is not the case with Bredolab.
According to a press release today from the High Tech Crime Team of the National Crime Squad in the Netherlands, action has been taken to isolate 143 servers from the Internet.
The servers were actively involved in the Bredolab botnet, from the release they would appear to be command and control servers. The servers were hosted by a company called LeaseWeb, one of the largest hosting providers in the Netherlands, who fully cooperated in the coordinated takedown operation.
Bredolab infection mails
Bredolab is primarily a downloading platform and has served to distribute fake AV and ZeuS to victim computers. The botnet, which originated in Russia, only rose to prominence in August 2009. Dutch Authorities estimate that it was capable of infecting 3 million computers per month at its peak. The primary initial trigger for infection with Bredolab was usually though mail, but infection vectors have been widely abused and also include drive-by download and even propagation through other forms of malware, for example, Cutwail has been seen to drop Bredolab as a payload, and Bredolab has been known to return the favour!
It is unclear right now whether the botnet has been effectively decapitated or it this only represents a setback to the criminals behind it. The bots remain infected with the malware so if alternative command & control servers exist, then reconfiguration and regrouping remains a possibility. TrendLabs are investigating current activity levels of the botnet and I will update this blog as soon as new information is available.
UPDATE: According to a report in ITPro by Jennifer Scott, Kaspersky have been in touch to confirm that their servers were in fact compromised and the redirection was very real. The breach was made by exploiting “a third party app used for site admin”. The malicious redirection was in place for three and a half hours.
Several reports in Kaspersky user forums seem to indicate that the security software manufacturer was recently compromised by cybercriminals trying to punt fake security software.
Fake anti virus software is most often spread through booby-trapped web pages, designed to show up high in search results for popular or newsworthy terms; for example recently people searching for information about the Stuxnet malware were targeted. This is a technique so established that TrendLabs have been able to develop automated tools to proactively monitor and block these pages as they appear. If true, this compromise of a legitimate download site, particularly a security vendor could represent an important new change of tactics by the scareware pushers.
Kaspersky users in three separate forums; Calendar of Updates, YahooAnswers and Kaspersky’s own Kaspersky Lab forum have complained that links to download Kaspersky’s home user security software from their USA download site were redirecting them to a malicious web page pushing fake AV known as Security Tool. One user posted the below screen capture
According to forum posts Kaspersky have stated that there was no compromise of their servers. Somewhat incongruous then is the post by one forum user going by the handle of Micha, who appears to come from Kaspersky Lab in Japan according to his profile. He posted the following:
Thanks, it should be fixed.
Security vendors have often been the target of both malicious and mischievous hackers and without fail, honesty and transparency have always been the best policy in the aftermath of such an event.