Researchers: Bredolab still lurking, though severely injured (Update 3)by Steve Ragan - Oct 28 2010, 21:41
Researchers at FireEye have confirmed the Dutch police’s success in crippling the Bredolab botnet. However, while examining their Malware Intelligence Network, MAX, FireEye discovered one C&C server has remained active. Does this mean that Bredolab can make a return?
FireEye’s Atif Mushtaq, who did the research on the Bredolab shutdown, confirmed that all of the known C&Cs used by Bredolab’s operators were offline. The praise that is being handed to the Dutch National Crime Squad (THTC) for their efforts in killing this botnet is well deserved. It was a massive effort that took several agencies to accomplish.
“The sole purpose of Bredolab was to spread itself as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware,” Mushtaq wrote in the FireEye blog.
Pegged at 30 million strong, the Bredolab botnet was reported to have pushed nearly 3.6 billion malicious emails. Often, the payloads delivered by email attachment or malicious links on social networks were Trojans. Sometimes they were Rogue anti-Virus applications, but the type of Malware would depend on the whim of the criminal controlling that segment of the overall botnet.
Mushtaq discovered that while 143 C&C servers were indeed taken offline, a single C&C in Russia (proobizz.cc) has remained. This C&C, and the bots communicating with it, are carrying out the last command issued to them faithfully. The command instructed them to download various types of Malware, including TDSS.
Known as Alureon to some, or TDL3, the TDSS family of rootkits has caused enormous amounts of damage to home and business users. Earlier this year, TDSS triggered Blue Screens of Death when MS10-015 was installed. What happened was that MS10-015 updated several kernel API’s, and as a result TDL3 started calling invalid RVAs (relative virtual addresses), thus triggering the BSoD issues.
TDL3 registers itself first as print processor, printer subsystem spoolsv.exe, which has administrative rights. Virus scanners that monitor the behavior of processes will not be alarmed because the printer subsystem is a trusted part of Microsoft Windows.
“TDL3 has now full system access rights as Print Processor and infects the lower level system driver that is responsible for the communication with the hard drive. When virus scanners want to check this driver, they see the original file so they are unable to recognize the infection,” security vendor SurfRight explained in an advisory earlier this year.
After that, TDL3 places an encrypted file system on top of the standard file system on the last sectors of the hard drive. The encryption ensures that files cannot be read directly from disk, thus avoiding detection by anti-Virus software. The encrypted file system is then used to store other Malware downloaded from the Internet.
What makes this Malware family unique, Mushtaq explains, is that, “TDSS is one of the very few botnets that use SSL for their command and control communication.”
“There is a possibility that this particular CnC domain was simply overlooked during this crackdown and now zombies communicating to this CnC are on auto-pilot. If this is the case then in the absence of the bot herders to control things, there is a good chance that malware connecting to this CnC will continue to obey the last configured command.”
No one is certain if the person arrested shortly after the Bredolab takedown is the one controlling the Russian C&C. There is also no clear answer as to how the C&C remained after the massive sweep. The Dutch police had the help of the host who maintained the other 143 servers, so perhaps the fact that it is located in Russia is the only reason it wasn’t taken offline as well.
So then, given that the Russian C&C is online, was the takedown unsuccessful? In his blog post, Mushtaq reminded those who may have forgotten, that the Pushdo.D botnet rose from the ashes after a massive hit as well. This takedown is different.
“In the case of Pushdo.D, there was a long list of CnC servers out of which some were never taken down. This made it possible for the bot herders behind it to recover after few weeks. Bredolab doesn't maintain a long list of backup CnC servers. Instead different malware builds come with a small and distinct set of CnC domains. So I have no doubt that a big portion of this botnet has been dismantled and is never going to recover,” he explained.
For now, it’s a wait and see scenario. Unless someone uses the C&C to issue new commands, the Bredolab botnet is as good as dead. Mushtaq said that he plans to keep tabs on the status of the remaining C&C. You can follow his progress on the FireEye blog.
Symantec is confirming some of the data FireEye has discovered. According to a spokesperson, MessageLabs Intelligence is still seeing different Bredolab runs from yesterday morning.
The first run started at 09:21AM and ended at around 11:50AM. The second run started at 10:30AM and stopped at 10:50AM. The third run started at 2:30PM and stopped at 3:30PM.
[Symantec did not list the time zone, but we're thinking UTC. -ED]
More than 750 Bredolab emails, with nearly 400 among them targeting Spanish e-mail users have been observed. All contained a similar subject referring to "DHL International." Like the other Bredolab-based malicious email attachments, it uses fake icons (Fake MS Excel icon in our example) to deceive the user.
If accessed, the attachments will connect to a C&C in Russia. The payload delivered is Rogue anti-Virus.
There is more information coming. Right now, there are two confirmed Bredolab C&C's. The first one, proobizz.cc, last issued commands at 6:40 a.m. this morning. This is the active server that FireEye reported on.
The second C&C, discovered by Symantec, has also been monitored by FireEye Researchers. The domain, LodFewPleaser.com (22.214.171.124) is hosted in the same Colo as the original C&C. So now there are two Bredolab C&C servers active in Russia.
As an interesting side note, the second C&C is using dynamic DNS out of China (dns.com.cn)
A ThreatExpert report on the payload from the second C&C is here.
FireEye has discovered a third C&C, in Kazakhstan, which is pushing Rogue anti-Virus software to infected systems. More information is here. At the time of the discovery, the Malware being pushed by upload-good.net was only detected by a single anti-Virus vendor. (AntiVir).