1. /
  2. Security Response/
  3. Trojan.Bredolab

Trojan.Bredolab

Risk Level 1: Very Low

Discovered:
May 28, 2009
Updated:
August 8, 2012 12:43:37 PM
Also Known As:
Troj/FakeAV-BYW [Sophos]
Type:
Trojan
Infection Length:
51,200 bytes
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
CVE References:
CVE-2006-0003, CVE-2008-1084, CVE-2008-2463
Trojan.Bredolab is a Trojan horse that downloads and executes files from the Internet. It may arrive on the computer through email or a drive-by download. The Trojan also attempts to avoid detection by employing several evasion techniques.


Infection

Bredolab has been observed using the following two primary methods of distribution:
  • Drive-by download
  • Email


A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.

The email distribution method employs social engineering tricks to convince the user to open the attachment in the email. All of the emails are crafted in such a way as to appear as legitimate as possible in order to deceive the user. It is also common for the threat to reuse themes but with slight variations on the body of the message and the attachment names. For example, these themes have already been observed:

  • Western Union free money
  • UPS delivery failures
  • Shop.corsair.com shipping confirmations
  • Facebook password changes


Functionality

The primary function of this threat is to download more malware on to the compromised computer. It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware. The threat may also be used to help construct a bot network that can be sold or hired for monetary gain.


Self-protection
It also employs the following techniques in order to avoid detection:
  • Server-side polymorphism - the threat constantly changes its method of packing and its appearance in order to avoid detection
  • Anti-debugging tricks - the threat performs checks to determine whether it is executing within a debugging environment
  • Encoded communication - all communication between the threat and the remote server uses encryption



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.








PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.






SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)



    Browser protection

    Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

    Antivirus Protection Dates

    • Initial Rapid Release version May 28, 2009 revision 022
    • Latest Rapid Release version December 25, 2014 revision 009
    • Initial Daily Certified version May 28, 2009 revision 023
    • Latest Daily Certified version December 25, 2014 revision 003
    • Initial Weekly Certified release date June 3, 2009
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

    Threat Assessment

    Wild

    • Wild Level: Medium
    • Number of Infections: 50 - 999
    • Number of Sites: 10+
    • Geographical Distribution: Medium
    • Threat Containment: Easy
    • Removal: Easy

    Damage

    • Damage Level: Medium
    • Payload: Downloads more malware on to the compromised computer.
    • Deletes Files: May delete certain files on the compromised computer.
    • Compromises Security Settings: Lowers security settings to avoid detection.

    Distribution

    • Distribution Level: Low
    Writeup By: Éamonn Young, Mario Ballano, and Takashi Katsuki

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report
    Symantec DeepSight Screensaver