Bredolab-infected PCs downloading fake antivirus software

The latest look at Bredolab shows that a small part of the botnet appears to be still running

A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.

The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands, wrote Atif Mushtaq, of FireEye.

One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus, Mushtaq said. Cybercriminals have found that fake antivirus programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.

The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.

The infected computers that are communicating with domains appear to have a variant of Bredolab installed, Mushtaq wrote. Malware authors frequently have to modify the code in order to avoid detection by antivirus software.

Mushtaq submitted the Bredolab variant to VirusTotal, an online service that accepts malware samples and checks to see whether 42 different security software suites detect it. VirusTotal includes some of the most widely sold products from vendors such as Symantec, Trend Micro and McAfee.

As of Wednesday, only one product detected it, Mushtaq wrote. The results, however, are not surprising: much new malware remains undetected for a short time. When a vendor discovers it, the sample is shared throughout the security community, increasing the chances that other security software will pick it up.

The main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers on Monday and shut down their communication with infected PCs. Police uploaded their own code to those infected computers -- estimated to number as many as 29 million -- warning that the computer was infected.

Working with Dutch police, Armenian authorities arrested a 27-year-old man on Tuesday for allegedly controlling Bredolab. If he is extradited to the Netherlands, he could face between four and six years in prison.

The Bredolab variant that is still working may have come from the original Bredolab code, which may have been leaked and used by someone other than its author, Mushtaq wrote.

"This is not so unusual," Mushtaq wrote. "According to some confirmed sources, Cutwail (a famous spam botnet) code was leaked when one of the developers left the original bot herder's team and started building his own botnet."

It's also possible that a portion of the Bredolab botnet was rented to some other gang, Mushtaq wrote. Security experts have said that Bredolab was rented out to other cybercriminals, who could then upload their own specific code to infected machines or use the computers for spamming.

Authorities have shut down most of Bredolab's command-and-control servers, so Mushtaq wrote on Tuesday that "a big portion of this botnet has been dismantled and is never going to recover."

Still, cybercriminals who are involved with Bredolab are taking a higher risk: Dutch prosecutors said on Wednesday they are still investigating could make more arrests.

"No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny," Mushtaq wrote.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags CriminalsecuritylegalFireEyeExploits / vulnerabilitiesmalwarecybercrime

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?