Bredolab Trojan botnet crippled by Dutch cybersecurity teams

Police took over the command-and-control servers responsible for sending orders to Bredolab, a notorious spam botnet known for spreading rogue antivirus programs.

Dutch law enforcement and computer teams took out the Bredolab botnet, seizing and disconnecting more than 100

command-and-control servers used to send orders to hoards of zombie machines.

Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection.

Dutch law enforcement statement,

Bredolab, known for spreading spam and rogue antivirus, is thought by some experts to have infected at least 30 million computers.

The Bredolab Trojan spread via drive-by attack websites and spam email attachments, infecting machines with a backdoor that downloads additional malware without the victim's knowledge. It was also known for sending out spoofed password reset messages to Facebook users in an attempt to spread malware and infect users of the social network.

"The virus has the power to obtain information on the user's computer including the ability to copy, change or delete files and other information," according to a statement issued by the Dutch High Tech Crime Team and its National Crime Squad.

Police said 143 servers were taken down by the Dutch computer emergency response team, effectively cutting off the cybercriminals from the infected machines. Law enforcement worked with a Dutch hosting provider, the Dutch Forensic Institute (NFI), the Internet security company Fox IT and GOVCERT.NL to take out the command-and-control servers.

In addition, Dutch police will use the seized servers to send out a notice to users of infected machines with advice on removing the malware from their system. The majority of infections are in the U.S. and the U.K. and many Western European countries.

The Dutch High Tech Crime Team discovered this botnet system in the late summer and determined that the network was capable of infecting 3 million computers a month. The botnet network used servers hired in the Netherlands from a reseller of LeaseWeb, which is the largest hosting provider in the Netherlands, and one of the largest hosts in Europe.

In addition to the Facebook password-reset messages, Symantec researchers said spam messages attempting to spread the Bredolab Trojan spoofed Western Union messages, UPS delivery failures and shipping confirmation notices. The Trojan, according to Symantec, was able to constantly change its appearance to avoid detection by traditional antivirus signatures. Like other botnets, the Trojan communicated with the command-and-control server using encrypted messages.

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close