Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it.
In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram.
We have seen Bredolab downloading password stealers, bots, rootkits, backdoors,...
In a previous post I provided an overview of W32.Waledac’s functionalities, tactics, origin, and connections. This time, I will discuss more on the bootstrap mechanisms and armoring techniques used by Waledac in order to sustain and protect itself.
Installation
When a Waledac executable is installed, it turns the compromised system into a zombie and acts as an agent for the botnet. It creates a window named fhfhkjfhwefkwj and registers itself with a class name jfkljfilfj23fi32io. As a self-starting mechanism, it also adds any of the following entry in the registry so that it can run whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO EXECUTABLE]”
Or:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO EXECUTABLE]...
