Bredolab-infected PCs Downloading Fake Antivirus Software
A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.
The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands, wrote Atif Mushtaq, of FireEye.
One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus, Mushtaq said. Cybercriminals have found that fake antivirus programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.
The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.
The infected computers that are communicating with domains appear to have a variant of Bredolab installed, Mushtaq wrote. Malware authors frequently have to modify the code in order to avoid detection by antivirus software.
Mushtaq submitted the Bredolab variant to VirusTotal, an online service that accepts malware samples and checks to see whether 42 different security software suites detect it. VirusTotal includes some of the most widely sold products from vendors such as Symantec, Trend Micro and McAfee.
As of Wednesday, only one product detected it, Mushtaq wrote. The results, however, are not surprising: much new malware remains undetected for a short time. When a vendor discovers it, the sample is shared throughout the security community, increasing the chances that other security software will pick it up.
The main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers on Monday and shut down their communication with infected PCs. Police uploaded their own code to those infected computers -- estimated to number as many as 29
million -- warning that the computer was infected.
Working with Dutch police, Armenian authorities arrested a 27-year-old man on Tuesday for allegedly controlling Bredolab. If he is extradited to the Netherlands, he could face between four and six years in prison.
The Bredolab variant that is still working may have come from the original Bredolab code, which may have been leaked and used by someone other than its author, Mushtaq wrote.
"This is not so unusual," Mushtaq wrote. "According to some confirmed sources, Cutwail (a famous spam botnet) code was leaked when one of the developers left the original bot herder's team and started building his own botnet."
It's also possible that a portion of the Bredolab botnet was rented to some other gang, Mushtaq wrote. Security experts have said that Bredolab was rented out to other cybercriminals, who could then upload their own specific code to infected machines or use the computers for spamming.
Authorities have shut down most of Bredolab's command-and-control servers, so Mushtaq wrote on Tuesday that "a big portion of this botnet has been dismantled and is never going to recover."
Still, cybercriminals who are involved with Bredolab are taking a higher risk: Dutch prosecutors said on Wednesday they are still investigating could make more arrests.
"No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny," Mushtaq wrote.