Bredolab-infected PCs downloading fake antivirus software

The latest look at Bredolab shows that a small part of the botnet appears to be still running

A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.

The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands, wrote Atif Mushtaq, of FireEye.

One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus, Mushtaq said. Cybercriminals have found that fake antivirus programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.

The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.

The infected computers that are communicating with domains appear to have a variant of Bredolab installed, Mushtaq wrote. Malware authors frequently have to modify the code in order to avoid detection by antivirus software.

Mushtaq submitted the Bredolab variant to VirusTotal, an online service that accepts malware samples and checks to see whether 42 different security software suites detect it. VirusTotal includes some of the most widely sold products from vendors such as Symantec, Trend Micro and McAfee.

As of Wednesday, only one product detected it, Mushtaq wrote. The results, however, are not surprising: much new malware remains undetected for a short time. When a vendor discovers it, the sample is shared throughout the security community, increasing the chances that other security software will pick it up.

The main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers on Monday and shut down their communication with infected PCs. Police uploaded their own code to those infected computers -- estimated to number as many as 29 million -- warning that the computer was infected.

Working with Dutch police, Armenian authorities arrested a 27-year-old man on Tuesday for allegedly controlling Bredolab. If he is extradited to the Netherlands, he could face between four and six years in prison.

The Bredolab variant that is still working may have come from the original Bredolab code, which may have been leaked and used by someone other than its author, Mushtaq wrote.

"This is not so unusual," Mushtaq wrote. "According to some confirmed sources, Cutwail (a famous spam botnet) code was leaked when one of the developers left the original bot herder's team and started building his own botnet."

It's also possible that a portion of the Bredolab botnet was rented to some other gang, Mushtaq wrote. Security experts have said that Bredolab was rented out to other cybercriminals, who could then upload their own specific code to infected machines or use the computers for spamming.

Authorities have shut down most of Bredolab's command-and-control servers, so Mushtaq wrote on Tuesday that "a big portion of this botnet has been dismantled and is never going to recover."

Still, cybercriminals who are involved with Bredolab are taking a higher risk: Dutch prosecutors said on Wednesday they are still investigating could make more arrests.

"No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny," Mushtaq wrote.

Join the PC World newsletter!

Error: Please check your email address.

Tags CriminalsecurityFireEyelegalExploits / vulnerabilitiescybercrimemalware

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?