1. Symantec/
  2. Security Response/
  3. Trojan.Bredolab


Risk Level 1: Very Low

May 28, 2009
August 8, 2012 12:43:37 PM
Also Known As:
Troj/FakeAV-BYW [Sophos]
Infection Length:
51,200 bytes
Systems Affected:
CVE References:
CVE-1999-1224, CVE-2006-0003, CVE-2007-1775, CVE-2008-1084, CVE-2008-2463
Trojan.Bredolab is a Trojan horse that downloads and executes files from the Internet. It may arrive on the computer through email or a drive-by download. The Trojan also attempts to avoid detection by employing several evasion techniques.


Bredolab has been observed using the following two primary methods of distribution:
  • Drive-by download
  • Email

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.

The email distribution method employs social engineering tricks to convince the user to open the attachment in the email. All of the emails are crafted in such a way as to appear as legitimate as possible in order to deceive the user. It is also common for the threat to reuse themes but with slight variations on the body of the message and the attachment names. For example, these themes have already been observed:

  • Western Union free money
  • UPS delivery failures
  • Shop.corsair.com shipping confirmations
  • Facebook password changes


The primary function of this threat is to download more malware on to the compromised computer. It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware. The threat may also be used to help construct a bot network that can be sold or hired for monetary gain.

It also employs the following techniques in order to avoid detection:
  • Server-side polymorphism - the threat constantly changes its method of packing and its appearance in order to avoid detection
  • Anti-debugging tricks - the threat performs checks to determine whether it is executing within a debugging environment
  • Encoded communication - all communication between the threat and the remote server uses encryption

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

    Browser protection

    Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

    Antivirus Protection Dates

    • Initial Rapid Release version May 28, 2009 revision 022
    • Latest Rapid Release version March 12, 2018 revision 019
    • Initial Daily Certified version May 28, 2009 revision 023
    • Latest Daily Certified version March 13, 2018 revision 002
    • Initial Weekly Certified release date June 3, 2009
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
    Writeup By: Éamonn Young, Mario Ballano, and Takashi Katsuki

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    2016 Internet Security Threat Report, Volume 21
    • Twitter
    • Facebook
    • LinkedIn
    • Google+
    • YouTube