Forum latest

Yet Another Botnet Dismantled, Alleged Botmaster Arrested
Written by Daniel   
Wednesday, 27 October 2010 17:49

From DarkReading

Dutch authorities take unusual tack in directly contacting machines infected by 'Bredolab' botnet

No doubt 2010 will go down as the year of the botnet takedown as yet another botnet met its demise this week: Dutch authorities announced that they have struck down the Bredolab botnet and arrested its alleged mastermind, marking the fourth consecutive major botnet to go down this year in coordinated, team efforts to root out these vehicles of cybercrime.

Bredolab, which had some 30 million bot-infected machines in its army worldwide, was a spamming botnet known for pushing fake antivirus, phony pharmaceuticals, spreading other Trojan malware, and stealing the victim machine's financial information. The botnet had the capacity and capability to infect 3 million bots a month, according to the Dutch High Tech Crime Team, which led the investigation. Bredolab had sent some 3.6 billion emails containing its malware by the end of 2009.


And the Bredolab botmaster may also be in custody: a 27-year-old Armenian man was arrested today as part of the investigation. Radio Netherlands reported that the man had unsuccessfully tried to wrest the botnet back from investigators and then launched a distributed denial-of-service attack against the botnet, using an army of 220,000 infected machines. Investigators blocked this attack by disconnecting three servers in Paris, according to Radio Netherlands.

In an unusual move, Dutch authorities used the C&C domains to notify victims via a pop-up message that their machines were bot-infected with Bredolab. Owners of the bot-infected machines are directed to this page when they log into their machines, where they receive information about the infection and how to clean up.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure and then the Pushdo botnet as well, says this was an interesting move by authorities. "Notification of this kind is something rather uncommon because of all of the legal issues involved with this," Holz says. "Whenever you send a message to an infected system" raises legal and ethical questions he says.

The trick, too, is convincing and reassuring the victim that it's a legitimate message, especially with Bredolab, which pushes fake antivirus software. "The victim has to be able to recognize that this is a legitimate pop-up. Fake AV also does this in a similar way," Holz says. "It's a fine line where you see a real notification and educate them on something wrong in a notification."

Derek Manky, project manager for cyber security & threat research at Fortinet, says this approach taken by Dutch authorities is rarely if ever taken. "From what I understand, the main difference about this takedown vs. previous ones (a la Zeus, Cutwail, etc) is that authorities here seized control of the command servers and replaced the malicious Bredolab binaries with 'good' code that instructed infected machines -- they would reach out to download the good code -- to the authorities' site warning of the infection," he says. "With previous takedowns, the C&C's have been taken offline completely so that infected machines still remain but cannot contact the dead servers. I believe they did this in this case to attempt to further clean infected machines, and ensure that the botmaster could not regain control."

[More...] [Comments...]



See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either