Bredolab botnet infiltrated

I’m a bit behind on writing about this, but last week the Bredolab botnet was infiltrated and shut down by Dutch police.  From PC World:

A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.

The main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers on Monday [Oct 25] and shut down their communication with infected PCs. Police uploaded their own code to those infected computers -- estimated to number as many as 29 million -- warning that the computer was infected.

Working with Dutch police, Armenian authorities arrested a 27-year-old man on Tuesday for allegedly controlling Bredolab. If he is extradited to the Netherlands, he could face between four and six years in prison.

The Bredolab variant that is still working may have come from the original Bredolab code, which may have been leaked and used by someone other than its author, Atif Mushtaq of security firm FireEye wrote.  "This is not so unusual," Mushtaq wrote. "According to some confirmed sources, Cutwail (a famous spam botnet) code was leaked when one of the developers left the original bot herder's team and started building his own botnet."

It's also possible that a portion of the Bredolab botnet was rented to some other gang, Mushtaq wrote. Security experts have said that Bredolab was rented out to other cybercriminals, who could then upload their own specific code to infected machines or use the computers for spamming.

Authorities have shut down most of Bredolab's command-and-control servers, so Mushtaq wrote on Tuesday that "a big portion of this botnet has been dismantled and is never going to recover."

According to the Microsoft Malware Protection Center’s Encyclopedia entry on Bredolab, it is a downloader that is able download and execute files on a remote host.  There are lots of different pieces of malware that Bredolab pulls, including Cutwail (spamming botnet), Koobface (targets Facebook), and FakeSpyPro (rogue A/V).  According to the latest Microsoft Security Intelligence Report, Bredolab is the tenth most prolific piece of malware on domain-joined computers (usually within a business or corporation) from January – June 2010.  Interestingly, it didn’t make the top 10 in consumer space.

The Bredolab infiltration and shut down joins a long list of shutdowns in 2010: Lethic, Zeus, Mariposa, Waledac and Pushdo.  Some of these botnets resurface, and some of them do not. 

The statement that a big portion of the botnet is taken down and won’t recover is subject to qualification.  While the current botnet-infected machines might not be receiving instructions, botnets recover all the time because that recovery is subject to one very weak link – user behavior.

The machines that got infected with malware is generally due to user behavior – not running anti-malware software nor applying the latest updates to their versions of software.  But they also click on links in messages, download suspicious attachments, open zip files in email, and so forth.  The same habits that got their machines infected in the first place without their knowledge haven’t changed; users continue to do the same things over and over again unless they are provoked to change their actions online.  Thus, if a spammer sends a spam message to a user urging them to go to a certain link, if that user clicked on it before they are likely to click on it again.  A botnet operator may have lost this particular spamming infrastructure but the basic principles towards rebuilding it remain the same – exploit the user and slowly rebuild to where you were.  It takes time but all that is required is time.

In this case, there’s a bit of a wrinkle in that the operator of the botnet was arrested in Armenia.  There are always human components behind crime operatives like botnets and if there is no human to direct the crime syndicate, then that absolutely has an effect on the botnet.  If no one is there to operate it, then all that is left is the potential to build a botnet.  Of course, “potential” isn’t worth very much.  At the start of the 2010 Canadian football season, the Winnipeg Blue Bombers had potential and where did that get them?  Last place in the league.  Potential is only useful if it is combined with probability.  How probable is it that someone will pick up this botnet? That depends on how closed an ecosystem this particular individual built.

I’ve said it before but I will say it again, the problem of malware and spam is not solved by technology alone.  It requires several elements:

  • Secure software – antispam filters that block nearly all spam and anti-malware software that blocks nearly all malicious software.  It is unrealistic to expect it to block all of it, but the idea is to make the time and energy spent defeating these filters to be economically infeasible.  This may never occur.

  • Prosecution of cybercrime – related to my post yesterday, there are actual people behind spam and malware, and once they start getting sent to prison, they can no longer operate their cyber infrastructure.  This requires government funding (sorry, Objectivists)  for prosecution and investigation and laws against cybercrime.
  • Infiltration of botnets – We’ve actually seen quite a number of botnet shutdowns this year.  If security researchers continue to do this, then maybe the miscreants will figure out it’s not worth the effort to keep building it back up.
  • Policies against abuse of resources – Registrars and ISPs who host the abusive web sites where spammers operate from need to ensure they take an active role in detecting and shutting down malicious sites.
  • Changes in user behavior – This might be the most important one as it has the potential to actually do something.  If users stopped falling for scams, or dropped off in rapid numbers, the cost/benefit ratio for cyber criminals would lower the revenue they generate and cause them to start doing something else.

That’s how I see things.

Skip to main content