Bredolab botnet

Last updated

The Bredolab botnet, also known by its alias Oficla, [1] was a Russian [2] botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers. [3] [4] [5]

Contents

The countries most affected by the botnet were Russia itself, Uzbekistan, US, Europe, India, Vietnam and Philippines. [6]

Operations

Though the earliest reports surrounding the Bredolab botnet originate from May 2009 (when the first malware samples of the Bredolab trojan horse were found) the botnet itself did not rise to prominence until August 2009, when there was a major surge in the size of the botnet. [7] [8] Bredonet's main form of propagation was through sending malicious e-mails that included malware attachments which would infect a computer when opened, effectively turning the computer into another zombie controlled by the botnet. At its peak, the botnet was capable of sending 3.6 billion infected emails every day. [9] The other main form of propagation was through the use of drive-by downloads - a method which exploits security vulnerabilities in software. This method allowed the botnet to bypass software protection in order to facilitate downloads without the user being aware of them. [10]

The main income of the botnet was generated through leasing parts of the botnet to third parties who could subsequently use these infected systems for their own purposes, and security researchers estimate that the owner of the botnet made up to $139,000 a month from botnet related activities. [4] [11] [12] Due to the rental business strategy, the payload of Bredolab has been very diverse, and ranged from scareware to malware and e-mail spam. [13]

Dismantling and aftermath

On 25 October 2010, a team of Dutch law enforcement agents seized control of 143 servers which contained three command & control servers, one database server and several management servers from the Bredolab botnet in a datacenter from LeaseWeb, [14] effectively removing the botnet herder's ability to control the botnet centrally. [2] [13] [15] In an attempt to regain control of his botnet, the botnet herder utilized 220,000 computers which were still under his control, to unleash a DDoS attack on LeaseWeb servers, though these attempts were ultimately in vain. [16] After taking control of the botnet, the law enforcement team utilized the botnet itself to send a message to owners of infected computers, stating that their computer was part of the botnet. [9] [17]

Subsequently, Armenian law enforcement officers arrested an Armenian citizen, Georgy Avanesov, [4] [18] on the basis of being the suspected mastermind behind the botnet. The suspect denied any such involvement in the botnet. [12] [13] He was sentenced to four years in prison in May 2012. [19]

While the seizure of the command and control servers severely disrupted the botnet's ability to operate, [20] the botnet itself is still partially intact, with command and control servers persisting in Russia and Kazakhstan. [17] Security firm FireEye believes that a secondary group of botnet herders has taken over the remaining part of the botnet for their own purposes, possibly a previous client who reverse engineered parts of the original botnet creator's code. Even so, the group noted that the botnet's size and capacity has been severely reduced by the law enforcement intervention. [11] [14] [21]

Related Research Articles

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly Bot", making it one of the largest known botnets.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Defence Intelligence, often referred to as Defintel, is an information security company based in Ottawa, Ontario, Canada. The company characterizes itself as offering services for "advanced compromise protection." Their marketing materials describe their services as being for the detection and prevention of compromised systems on a network, and include their Nemesis Compromise Protection (Nemesis) and Harbinger Compromise Assessment (Harbinger) services.

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013 its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021 the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

<span class="mw-page-title-main">Cryptojacking</span> Hijacking computers to mine currency

Cryptojacking is the act of hijacking a computer to mine cryptocurrencies against the user's will, through websites, or while the user is unaware. One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown. The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.

References

  1. Search the malware encyclopedia: Bredolab, Microsoft.com
  2. 1 2 Dan Raywood (26 October 2010). "Bredolab botnet taken down after Dutch intervention". SC Magazine UK. Retrieved 28 January 2012.
  3. James Wray and Ulf Stabe (28 October 2010). "Researchers: Bredolab still lurking, though severely injured (Update 3) - Security". Thetechherald.com. Archived from the original on 3 October 2011. Retrieved 28 January 2012.
  4. 1 2 3 "Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com". Infosecurity-magazine.com. 1 November 2010. Retrieved 28 January 2012.
  5. Help Net Security (2 November 2010). "The aftermath of the Bredolab botnet shutdown". Net-security.org. Retrieved 28 January 2012.
  6. "Kaspersky Threats — Bredolab". threats.kaspersky.com.
  7. "Security Threat Reports - Research Analysis - Trend Micro USA" (PDF). Us.trendmicro.com. Retrieved 28 January 2012.
  8. "Trojan.Bredolab". Symantec. Retrieved 28 January 2012.
  9. 1 2 "Infosecurity (USA) - Dutch government shuts down Bredolab botnet". Infosecurity-us.com. 26 October 2010. Retrieved 28 January 2012.
  10. "Trojan.Bredolab Technical Details". Symantec. Retrieved 28 January 2012.
  11. 1 2 Bredolab Down but Far from Out After Botnet Takedown, 28 October 2010
  12. 1 2 "More Bredolab arrests may occur, say Dutch prosecutors - Techworld.com". News.techworld.com. Retrieved 28 January 2012.
  13. 1 2 3 Schwartz, Mathew J. (29 October 2010). "Bredolab Botnet Still Spewing Malware - Bredolab Botnet". InformationWeek. Retrieved 28 January 2012.
  14. 1 2 de Graaf, JD (2012). "BREDOLAB: Shopping in the Cybercrime Underworld" (PDF). ICDF2C Conference. Springer-Verlag.
  15. Josh Halliday (26 October 2010). "Suspected Bredolab worm mastermind arrested in Armenia | Technology". London: guardian.co.uk. Retrieved 28 January 2012.
  16. "Suspected Bredolab Botnet Runner Arrested in Armenia - Softpedia". News.softpedia.com. 26 October 2010. Retrieved 28 January 2012.
  17. 1 2 Undead Bredolab zombie network lashes out from the grave, 29 October 2010
  18. "Bredolab Mastermind Was Key Spamit.com Affiliate — Krebs on Security". Krebsonsecurity.com. 30 October 2010. Retrieved 28 January 2012.
  19. "Russian spam mastermind jailed for creating botnet". BBC News . 24 May 2012. Retrieved 24 May 2012.
  20. "Bredolab, dead, dying or dormant? » CounterMeasures". Countermeasures.trendmicro.eu. 26 October 2010. Retrieved 28 January 2012.
  21. Atif Mushtaq on 2010.10.26 (26 October 2010). "FireEye Malware Intelligence Lab: Bredolab - Severely Injured but not dead". Blog.fireeye.com. Retrieved 28 January 2012.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.