Yet Another Botnet Dismantled, Alleged Botmaster Arrested

No doubt 2010 will go down as the year of the botnet takedown as yet another botnet met its demise this week: Dutch authorities announced that they have struck down the Bredolab botnet and arrested its alleged mastermind, marking the fourth consecutive major botnet to go down this year in coordinated, team efforts to root out these vehicles of cybercrime.

Bredolab, which had some 30 million bot-infected machines in its army worldwide, was a spamming botnet known for pushing fake antivirus, phony pharmaceuticals, spreading other Trojan malware, and stealing the victim machine's financial information. The botnet had the capacity and capability to infect 3 million bots a month, according to the Dutch High Tech Crime Team, which led the investigation. Bredolab had sent some 3.6 billion emails containing its malware by the end of 2009.

And the Bredolab botmaster may also be in custody: a 27-year-old Armenian man was arrested today as part of the investigation. Radio Netherlands reported that the man had unsuccessfully tried to wrest the botnet back from investigators and then launched a distributed denial-of-service attack against the botnet, using an army of 220,000 infected machines. Investigators blocked this attack by disconnecting three servers in Paris, according to Radio Netherlands.

In an unusual move, Dutch authorities used the C&C domains to notify victims via a pop-up message that their machines were bot-infected with Bredolab. Owners of the bot-infected machines are directed to this page when they log into their machines, where they receive information about the infection and how to clean up.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure and then the Pushdo botnet as well, says this was an interesting move by authorities. "Notification of this kind is something rather uncommon because of all of the legal issues involved with this," Holz says. "Whenever you send a message to an infected system" raises legal and ethical questions he says.

The trick, too, is convincing and reassuring the victim that it's a legitimate message, especially with Bredolab, which pushes fake antivirus software. "The victim has to be able to recognize that this is a legitimate pop-up. Fake AV also does this in a similar way," Holz says. "It's a fine line where you see a real notification and educate them on something wrong in a notification."

Derek Manky, project manager for cyber security & threat research at Fortinet, says this approach taken by Dutch authorities is rarely if ever taken. "From what I understand, the main difference about this takedown vs. previous ones (a la Zeus, Cutwail, etc) is that authorities here seized control of the command servers and replaced the malicious Bredolab binaries with 'good' code that instructed infected machines -- they would reach out to download the good code -- to the authorities' site warning of the infection," he says. "With previous takedowns, the C&C's have been taken offline completely so that infected machines still remain but cannot contact the dead servers. I believe they did this in this case to attempt to further clean infected machines, and ensure that the botmaster could not regain control."

Dutch hosting provider LeaseWeb helped Dutch authorities, as well as the Dutch Forensic Institute, Fox-IT, the Dutch CERT in zeroing in on and shutting down some 143 servers that controlled Bredolab, which had been hosted via a reseller of LeaseWeb, the biggest hosting provider in the Netherlands and a major player in Europe as a whole.

But the reality is that botnet takedowns are often only temporary victories for law enforcement and the security community. Unless the real masterminds are caught—which occurred with Mariposa and possibly now with Bredolab—these networks typically just get resurrected again, with different malware, or different architectures and relocated command and control servers.

Trend Micro Labs says there's at least one Bredolab C&C server still in operation -- it's not in the Netherlands -- so there's a chance there are others out there alive and well, too.

Bots are not easy to clean up. Botnet takedowns are typically more of a temporary solution, and many bots never really get completely cleaned up even after their botnet masters are shut off from communicating with them. Victims either don't wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. In many cases, these machines are already poorly maintained, so they are easily reinfected by another botnet, and the cycle continues.

Microsoft recently reported that it cleaned up twice as many bot-infected Windows machines in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the Microsoft Security Intelligence Report volume 9 (SIRv9).

Bredolab spreads via spam messages with infected attachments or drive-by downloads from infected websites. It often downloads other Trojans and uses keyloggers, for instance, as well. "Typically, the attacks were spammed out via old-fashioned, but still worryingly successful, spam campaigns as malicious attachments. In other words, no zero day exploits, no sophisticated new techniques, just effective social engineering to make people run the attachments in the first place," Graham Cluley, senior technology consultant for Sophos, said in a blog post today.

Holz says Bredolab was not only a relatively large botnet, but a very sophisticated and difficult one to crack. "It had a very complicated infrastructure with different layers of proxies in between. It was run very professionally," Holz says. "It was hard to get back to the main controller ... there were several layers of redirection and you had to trace them in over several hops in the C&C. It took coordination among each of the providers in between to ... find the real back-end."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.