Bredolab-infected PCs downloading fake antivirus software

The latest look at Bredolab shows that a small part of the botnet appears to be still running

A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.

The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands, wrote Atif Mushtaq, of FireEye.

One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus, Mushtaq said. Cybercriminals have found that fake antivirus programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.

The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.

The infected computers that are communicating with domains appear to have a variant of Bredolab installed, Mushtaq wrote. Malware authors frequently have to modify the code in order to avoid detection by antivirus software.

Mushtaq submitted the Bredolab variant to VirusTotal, an online service that accepts malware samples and checks to see whether 42 different security software suites detect it. VirusTotal includes some of the most widely sold products from vendors such as Symantec, Trend Micro and McAfee.

As of Wednesday, only one product detected it, Mushtaq wrote. The results, however, are not surprising: much new malware remains undetected for a short time. When a vendor discovers it, the sample is shared throughout the security community, increasing the chances that other security software will pick it up.

The main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers on Monday and shut down their communication with infected PCs. Police uploaded their own code to those infected computers -- estimated to number as many as 29 million -- warning that the computer was infected.

Working with Dutch police, Armenian authorities arrested a 27-year-old man on Tuesday for allegedly controlling Bredolab. If he is extradited to the Netherlands, he could face between four and six years in prison.

The Bredolab variant that is still working may have come from the original Bredolab code, which may have been leaked and used by someone other than its author, Mushtaq wrote.

"This is not so unusual," Mushtaq wrote. "According to some confirmed sources, Cutwail (a famous spam botnet) code was leaked when one of the developers left the original bot herder's team and started building his own botnet."

It's also possible that a portion of the Bredolab botnet was rented to some other gang, Mushtaq wrote. Security experts have said that Bredolab was rented out to other cybercriminals, who could then upload their own specific code to infected machines or use the computers for spamming.

Authorities have shut down most of Bredolab's command-and-control servers, so Mushtaq wrote on Tuesday that "a big portion of this botnet has been dismantled and is never going to recover."

Still, cybercriminals who are involved with Bredolab are taking a higher risk: Dutch prosecutors said on Wednesday they are still investigating could make more arrests.

"No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny," Mushtaq wrote.

Join the CSO newsletter!

Error: Please check your email address.

Tags CriminalsecuritylegalFireEyeExploits / vulnerabilitiesmalwarecybercrime

More about FireEyeMcAfee AustraliaSymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place