Video Screencast Help
Symantec Intelligence

Bredolab is still in the wild

Created: 27 Oct 2010 • Updated: 27 Oct 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of Jo Hurcombe and Manoj Venugopalan, Malware Analysts, Symantec Hosted Services

 

As many of us already heard the great news about Bredolab Malware that been shut down by Dutch authorities.

“On October 25th 2010, the High Tech Crime Team of the Dutch National Crime Squad took down a very large botnet, containing at least 30 million infected computer systems worldwide since July 2009. These computers were infected with the malicious Bredolab trojan, through infected websites. Through these botnets, cybercriminals can spread large amounts of other viruses and create new botnets.

In close cooperation with a Dutch hosting provider, The Dutch Forensic Institute (NFI), the internet security company Fox-IT and GOVCERT, the computer emergency response team of the Dutch government, shut down 143 computer servers today”

But MessageLabs Intelligence is still seeing different Bredolab runs (distributing different payloads) from yesterday morning. The first run started at 09:21AM and ended at around 11:50AM. The second run started at 10:30AM and stopped at 10:50AM.  The third run started at 2:30PM and stopped at 3:30PM.

Figure A – Example of recent email with Bredolab attachment.

We have seen more than 750 Bredolab E-mails and nearly 400 among them were targeting Spanish e-mail users. All e-mails contained a similar subject referring to “DHL International.”  They have been using the DHL and UPS Invoice subjects for a long time.

 

Figure B – Installed Bredolab Trojan process using MS Excel icon

As like the other Bredolab malware, it uses fake icons (Fake MS Excel icon in our example ) to deceive the user.

Once the user executes the file, it drops a few hidden files in %system32% and %temp% folder.  The downloader hooks into the system to process (svchost.exe in our example ) and connect to its C&C server.

 

Figure C – Network trace of Bredolab Trojan receiving instructions

 

Figure D – Detail network trace of Bredolab instruction to download fake security product

In the above example, you can see that it connects to http://<removed>.ru CnC server to download payload.

[info] runurl: http://<removed>/test/<removed>.exe[/info]

Currently this Trojan downloads and installs the Fake AV Products without user knowledge.

Figure E – Example of fake security product installed by the Bredolab Trojan

Symantec Hosted Service detected all  malware before it reached the customer.