RSS Alerts

Share

More services

Related Links

  • Kaspersky Lab
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Fortinet claims spam levels down after botnet takedowns
    The November threat landscape report from appliance security specialist Fortinet claims to show that spam levels worldwide have reduced worldwide over the last month, largely as a result of the Bredolab botnet takedown.
  • Symantec claims Cutwail Takedown cripples Bredolab trojan
    Although it was thought that the Bredolab spamming botnet was brought down fully as part of a Dutch takedown last month, it appears that elements of the botnet have continued until this week.
  • ZeuS malware dominates October malware landscape
    The latest monthly analysis of the malware landscape from Kaspersky Lab shows that the ZeuS trojan continued to strike, as it became one of the most commonly used and best-selling spy programmes on the online black market.
  • Kaspersky says Sality and Stuxnet are no surprise
    Kaspersky Lab has just published its monthly analysis of malware in the wild and the Russian-headquartered IT security vendor concludes that the surge of infections caused by the Sality virus, as well as the development of the Stuxnet worm, comes as no surprise.
  • Kaspersky works with Microsoft to lock down zero-day Stuxnet worm
    It seems that Microsoft had assistance in closing down the Windows vulnerability that was exploited by the Stuxnet worm, as Kaspersky Lab says it has been working with the software giant for some time on the project.

Top 5 Stories

News

Bredolab botnet revealed by Kaspersky Lab analyst

21 December 2010

Kaspersky Lab's malware analyst Alexei Kadiev has posted an interesting analysis on how the Bredolab botnet – which infected around 30 million PCs at its height – functioned.

According to Kadiev, the botnet emerged in mid-2009 and comprised some 30 million infected computers all over the world. Then, in October, the Dutch police force's cybercrime department announced the shutdown of 143 Bredolab botnet control servers.

Bredolab's main purpose, he says, is to download other malicious programs onto victim computers. One of the botnet's most distinguishing features was its method of operation: legitimate websites that had been hacked were used to spread the botnet's payload.

Visitors to these websites, he adds, were redirected to malicious resources, which resulted in their computers being infected with Backdoor.Win32.Bredolab.

"In turn, Bredolab downloads other malicious programs, including a trojan that steals passwords to FTP accounts. After some time, the website for which the account details were stolen also becomes infected", he said in his analysis.

Due to its complexity, Kadiev says that the Bredolab botnet was most likely controlled by more than one person.

"However, at this point only one cybercriminal has been arrested in connection with this botnet", he noted.

Kadiev went on to say that the owners of the Bredolab botnet created and controlled a network of over 30 million zombie computers that functioned over a long period of time.

In order to keep the botnet alive, the cybercriminals skillfully and effectively concealed the botnet's command centre using fast-flux network techniques.

"This scheme not only provided reliable sustainability for the botnet's command centre, it also simplified management of malicious content: instead of having to manage malicious sites on multiple nodes, all the cybercriminals had to do was place one such site on the command and control centre and set up redirectors", he explained.

One of the key features of the Bredolab botnet, says the Kaspersky malware analyst, is the closely repeating cycle the botnet used to build up its zombie networks, in which infected computers subsequently infected websites, which in turn infected new victim computers.

"Furthermore, the search for new ways to redirect users to malicious domains was ongoing. The main source of threat in this instance was the infected websites that, when visited, would download malicious programs. Information from the infected user computers could then be used to infect new websites", he says.

To better defend against this and other botnet infections Kadiev recommends that internet users should promptly install updates and patches for operating systems and third-party applications, as most exploits and worms take advantages of software vulnerabilities for which patches are already available.

In addition, he recommends that users also install a proprietary anti-virus program and keep the anti-virus database up to date.

"Anti-virus programs are not a panacea, but they can significantly minimise the risk of computer infection", he said, adding that internet users should also avoid clicking on links in spam emails, instant messaging apps and in messages from people you are not familiar with on social networks.

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012