Login
Login

Bredolab botnet

{{Short description|E-mail spamming botnet}}

The Bredolab botnet, also known by its alias Oficla,[http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Bredolab Search the malware encyclopedia: Bredolab], Microsoft.com was a Russian{{cite web|author=Dan Raywood |url=http://www.scmagazineuk.com/bredolab-botnet-taken-down-after-dutch-intervention/article/181737/ |title=Bredolab botnet taken down after Dutch intervention |publisher=SC Magazine UK |date=2010-10-26 |accessdate=2012-01-28}} botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.{{cite web |author=James Wray and Ulf Stabe |url=http://www.thetechherald.com/article.php/201043/6346/Researchers-Bredolab-still-lurking-though-severely-injured-Update-3 |title=Researchers: Bredolab still lurking, though severely injured (Update 3) - Security |publisher=Thetechherald.com |date=2010-10-28 |accessdate=2012-01-28 |url-status=dead |archiveurl=https://web.archive.org/web/20111003143933/http://www.thetechherald.com/article.php/201043/6346/Researchers-Bredolab-still-lurking-though-severely-injured-Update-3 |archivedate=2011-10-03 }}{{cite web|url=http://www.infosecurity-magazine.com/view/13620/bredolab-downed-botnet-linked-with-spamitcom/ |title=Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com |publisher=Infosecurity-magazine.com |date=2010-11-01 |accessdate=2012-01-28}}{{cite web|author=Help Net Security |url=http://www.net-security.org/secworld.php?id=10089 |title=The aftermath of the Bredolab botnet shutdown |publisher=Net-security.org |date=2010-11-02 |accessdate=2012-01-28}}

The countries most affected by the botnet were Russia itself, Uzbekistan, US, Europe, India, Vietnam and Philippines.{{cite web |title=Kaspersky Threats — Bredolab |url=https://threats.kaspersky.com/en/threat/Backdoor.Win32.Bredolab/ |website=threats.kaspersky.com |language=en}}

Operations

Though the earliest reports surrounding the Bredolab botnet originate from May 2009 (when the first malware samples of the Bredolab trojan horse were found) the botnet itself did not rise to prominence until August 2009, when there was a major surge in the size of the botnet.{{cite web|url=http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/bredolab_final.pdf |title=Security Threat Reports - Research Analysis - Trend Micro USA |publisher=Us.trendmicro.com |date= |accessdate=2012-01-28}}{{cite web|url=http://www.symantec.com/security_response/writeup.jsp?docid=2009-052907-2436-99 |archive-url=https://web.archive.org/web/20090720070545/http://www.symantec.com/security_response/writeup.jsp?docid=2009-052907-2436-99 |url-status=dead |archive-date=20 July 2009 |title=Trojan.Bredolab |publisher=Symantec |date= |accessdate=2012-01-28}} Bredonet's main form of propagation was through sending malicious e-mails that included malware attachments which would infect a computer when opened, effectively turning the computer into another zombie controlled by the botnet. At its peak, the botnet was capable of sending 3.6 billion infected emails every day.{{cite web|url=http://www.infosecurity-us.com/view/13461/dutch-government-shuts-down-bredolab-botnet |title=Infosecurity (USA) - Dutch government shuts down Bredolab botnet |publisher=Infosecurity-us.com |date=2010-10-26 |accessdate=2012-01-28}} The other main form of propagation was through the use of drive-by downloads - a method which exploits security vulnerabilities in software. This method allowed the botnet to bypass software protection in order to facilitate downloads without the user being aware of them.{{cite web|url=http://www.symantec.com/security_response/writeup.jsp?docid=2009-052907-2436-99&tabid=2 |archive-url=https://web.archive.org/web/20090724153514/http://www.symantec.com/security_response/writeup.jsp?docid=2009-052907-2436-99&tabid=2 |url-status=dead |archive-date=24 July 2009 |title=Trojan.Bredolab Technical Details |publisher=Symantec |date= |accessdate=2012-01-28}}

The main income of the botnet was generated through leasing parts of the botnet to third parties who could subsequently use these infected systems for their own purposes, and security researchers estimate that the owner of the botnet made up to $139,000 a month from botnet related activities.[https://archive.today/20130122224841/http://www.eweek.com/c/a/Security/Bredolab-Down-But-Far-From-Out-After-Botnet-Takedown-160657/ Bredolab Down but Far from Out After Botnet Takedown], 28 October 2010{{cite web |url=http://news.techworld.com/security/3246311/more-bredolab-arrests-may-occur-say-dutch-prosecutors/ |title=More Bredolab arrests may occur, say Dutch prosecutors - Techworld.com |publisher=News.techworld.com |date= |accessdate=2012-01-28 |archive-date=23 November 2010 |archive-url=https://web.archive.org/web/20101123033259/http://news.techworld.com/security/3246311/more-bredolab-arrests-may-occur-say-dutch-prosecutors |url-status=dead }} Due to the rental business strategy, the payload of Bredolab has been very diverse, and ranged from scareware to malware and e-mail spam.{{cite web|last=Schwartz |first=Mathew J. |url=http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228000344&subSection=News |title=Bredolab Botnet Still Spewing Malware - Bredolab Botnet |publisher=InformationWeek |date=2010-10-29 |accessdate=2012-01-28}}

= Dismantling and aftermath =

On 25 October 2010, a team of Dutch law enforcement agents seized control of 143 servers which contained three command & control servers, one database server and several management servers from the Bredolab botnet in a datacenter from LeaseWeb,{{cite journal|last=de Graaf|first=JD|title=BREDOLAB: Shopping in the Cybercrime Underworld|journal=ICDF2C Conference|year=2012|url=http://digitalfire.ucd.ie/wp-content/uploads/2012/10/BREDOLAB-Shopping-in-the-Cybercrime-Underworld.pdf|publisher=Springer-Verlag}} effectively removing the botnet herder's ability to control the botnet centrally.{{cite news|author=Josh Halliday |url=https://www.theguardian.com/technology/2010/oct/26/bredolab-worm-suspect-arrested-armenia |title=Suspected Bredolab worm mastermind arrested in Armenia | Technology |publisher=guardian.co.uk |date= 2010-10-26|accessdate=2012-01-28 |location=London}} In an attempt to regain control of his botnet, the botnet herder utilized 220,000 computers which were still under his control, to unleash a DDoS attack on LeaseWeb servers, though these attempts were ultimately in vain.{{cite web|url=http://news.softpedia.com/news/Suspected-Bredolab-Runner-Arrested-in-Armenia-163068.shtml |title=Suspected Bredolab Botnet Runner Arrested in Armenia - Softpedia |publisher=News.softpedia.com |date=2010-10-26 |accessdate=2012-01-28}} After taking control of the botnet, the law enforcement team utilized the botnet itself to send a message to owners of infected computers, stating that their computer was part of the botnet.[https://www.theregister.co.uk/2010/10/29/bredolab_botnet_death_throes/ Undead Bredolab zombie network lashes out from the grave], 29 October 2010

Subsequently, Armenian law enforcement officers arrested an Armenian citizen, Georgy Avanesov,{{cite web|url=http://krebsonsecurity.com/2010/10/bredolab-mastermind-was-key-spamit-com-affiliate/ |title=Bredolab Mastermind Was Key Spamit.com Affiliate — Krebs on Security |publisher=Krebsonsecurity.com |date=2010-10-30 |accessdate=2012-01-28}} on the basis of being the suspected mastermind behind the botnet. The suspect denied any such involvement in the botnet. He was sentenced to four years in prison in May 2012.{{cite news |title=Russian spam mastermind jailed for creating botnet |url=https://www.bbc.co.uk/news/technology-18189987 |newspaper=BBC News |date=24 May 2012 |accessdate=24 May 2012}}

While the seizure of the command and control servers severely disrupted the botnet's ability to operate,{{cite web|url=http://countermeasures.trendmicro.eu/bredolab-dead-dying-or-dormant/ |title=Bredolab, dead, dying or dormant? » CounterMeasures |publisher=Countermeasures.trendmicro.eu |date=2010-10-26 |accessdate=2012-01-28}} the botnet itself is still partially intact, with command and control servers persisting in Russia and Kazakhstan. Security firm FireEye believes that a secondary group of botnet herders has taken over the remaining part of the botnet for their own purposes, possibly a previous client who reverse engineered parts of the original botnet creator's code. Even so, the group noted that the botnet's size and capacity has been severely reduced by the law enforcement intervention.{{cite web|author=Atif Mushtaq on 2010.10.26 |url=http://blog.fireeye.com/research/2010/10/bredolab-severely-injured-but-not-dead.html |title=FireEye Malware Intelligence Lab: Bredolab - Severely Injured but not dead |publisher=Blog.fireeye.com |date=2010-10-26 |accessdate=2012-01-28}}

References

{{Reflist|2}}

{{Botnets}}

{{Use dmy dates|date=December 2017}}

Category:Web security exploits

Category:Distributed computing projects

Category:Spamming

Category:Botnets

Category:Cybercrime in India