Yet Another Botnet Dismantled, Alleged Botmaster Arrested

  /     /     /  
Publicated : 22/11/2024   Category : security


Yet Another Botnet Dismantled, Alleged Botmaster Arrested


Dutch authorities take unusual tack in directly contacting machines infected by Bredolab botnet



No doubt 2010 will go down as the year of the botnet takedown as yet another botnet met its demise this week: Dutch authorities announced that they have struck down the Bredolab botnet and arrested its alleged mastermind, marking the fourth consecutive major botnet to go down this year in coordinated, team efforts to root out these vehicles of cybercrime.
Bredolab, which had some 30 million bot-infected machines in its army worldwide, was a spamming botnet known for pushing fake antivirus, phony pharmaceuticals, spreading other Trojan malware, and stealing the victim machines financial information. The botnet had the capacity and capability to infect 3 million bots a month, according to the
Dutch High Tech Crime Team
, which led the investigation. Bredolab had sent some 3.6 billion emails containing its malware by the end of 2009.
And the Bredolab botmaster may also be in custody: a 27-year-old Armenian man was arrested today as part of the investigation. Radio Netherlands
reported
that the man had unsuccessfully tried to wrest the botnet back from investigators and then launched a distributed denial-of-service attack against the botnet, using an army of 220,000 infected machines. Investigators blocked this attack by disconnecting three servers in Paris, according to Radio Netherlands.
In an unusual move, Dutch authorities used the C&C domains to notify victims via a pop-up message that their machines were bot-infected with Bredolab. Owners of the bot-infected machines are directed to
this page
when they log into their machines, where they receive information about the infection and how to clean up.
Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledacs C&C infrastructure and then the Pushdo botnet as well, says this was an interesting move by authorities. Notification of this kind is something rather uncommon because of all of the legal issues involved with this, Holz says. Whenever you send a message to an infected system raises legal and ethical questions he says.
The trick, too, is convincing and reassuring the victim that its a legitimate message, especially with Bredolab, which pushes fake antivirus software. The victim has to be able to recognize that this is a legitimate pop-up. Fake AV also does this in a similar way, Holz says. Its a fine line where you see a real notification and educate them on something wrong in a notification.
Derek Manky, project manager for cyber security & threat research at Fortinet, says this approach taken by Dutch authorities is rarely if ever taken. From what I understand, the main difference about this takedown vs. previous ones (a la Zeus, Cutwail, etc) is that authorities here seized control of the command servers and replaced the malicious Bredolab binaries with good code that instructed infected machines -- they would reach out to download the good code -- to the authorities site warning of the infection, he says. With previous takedowns, the C&Cs have been taken offline completely so that infected machines still remain but cannot contact the dead servers. I believe they did this in this case to attempt to further clean infected machines, and ensure that the botmaster could not regain control.
Dutch hosting provider LeaseWeb helped Dutch authorities, as well as the Dutch Forensic Institute, Fox-IT, the Dutch CERT in zeroing in on and shutting down some 143 servers that controlled Bredolab, which had been hosted via a reseller of LeaseWeb, the biggest hosting provider in the Netherlands and a major player in Europe as a whole.
But the reality is that botnet takedowns are often only temporary victories for law enforcement and the security community. Unless the real masterminds are caught—which occurred with Mariposa and possibly now with Bredolab—these networks typically just get resurrected again, with different malware, or different architectures and relocated command and control servers.
Trend Micro Labs says theres at least one Bredolab C&C server still in operation -- its not in the Netherlands -- so theres a chance there are others out there alive and well, too.
Bots are
not easy to clean up
. Botnet takedowns are typically more of a temporary solution, and many bots never really get completely cleaned up even after their botnet masters are shut off from communicating with them. Victims either dont wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. In many cases, these machines are already poorly maintained, so they are easily reinfected by another botnet, and the cycle continues.
Microsoft recently reported that it cleaned up
twice as many bot-infected Windows machines
in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the Microsoft Security Intelligence Report volume 9 (SIRv9).
Bredolab spreads via spam messages with infected attachments or drive-by downloads from infected websites. It often downloads other Trojans and uses keyloggers, for instance, as well. Typically, the attacks were spammed out via old-fashioned, but still worryingly successful, spam campaigns as malicious attachments. In other words, no zero day exploits, no sophisticated new techniques, just effective social engineering to make people run the attachments in the first place, Graham Cluley, senior technology consultant for Sophos, said
in a blog post
today.
Holz says Bredolab was not only a relatively large botnet, but a very sophisticated and difficult one to crack. It had a very complicated infrastructure with different layers of proxies in between. It was run very professionally, Holz says. It was hard to get back to the main controller ... there were several layers of redirection and you had to trace them in over several hops in the C&C. It took coordination among each of the providers in between to ... find the real back-end.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Yet Another Botnet Dismantled, Alleged Botmaster Arrested