Trojan.Bredolab is a Trojan horse that downloads and executes files from the Internet. It may arrive on the computer through email or a drive-by download. The Trojan also attempts to avoid detection by employing several evasion techniques.
Bredolab has been observed using the following two primary methods of distribution:
A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.
The email distribution method employs social engineering tricks to convince the user to open the attachment in the email. All of the emails are crafted in such a way as to appear as legitimate as possible in order to deceive the user. It is also common for the threat to reuse themes but with slight variations on the body of the message and the attachment names. For example, these themes have already been observed:
- Western Union free money
- UPS delivery failures
- Shop.corsair.com shipping confirmations
- Facebook password changes
The primary function of this threat is to download more malware on to the compromised computer. It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware
. The threat may also be used to help construct a bot network that can be sold or hired for monetary gain.
It also employs the following techniques in order to avoid detection:
- Server-side polymorphism - the threat constantly changes its method of packing and its appearance in order to avoid detection
- Anti-debugging tricks - the threat performs checks to determine whether it is executing within a debugging environment
- Encoded communication - all communication between the threat and the remote server uses encryption
Symantec has observed the following geographic distribution of this threat.
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.