Bredolab botnet taken down after Dutch intervention
A botnet that had infected at least 30 million computers globally has been taken down by the Dutch National Crime Squad.
Working in close collaboration with a Dutch hosting provider, the Dutch Forensic Institute (NFI), internet security company Fox-IT, the Dutch computer emergency response team (GOVCERT.NL) seized and disconnected 143 computer servers from the internet.
The botnet used servers hired in the Netherlands from a reseller of LeaseWeb, the largest hosting provider in the Netherlands. The Dutch High Tech Crime Team discovered the network in the late summer and during its investigation, it determined that the network was capable of infecting three million computers a month.
The Dutch National Crime Squad said that users of computers with viruses from this network will receive a notice at the time of next login with information on the degree of infection, along with advice on removing the viruses from their system.
Rik Ferguson, senior security advisor at Trend Micro, said: “Bredolab is primarily a downloading platform and has served to distribute fake anti-virus and Zeus to victim computers. The botnet, which originated in Russia, only rose to prominence in August 2009 yet Dutch Authorities estimate that it was capable of infecting three million computers per month at its peak.
“The primary initial trigger for infection with Bredolab was usually through mail, but infection vectors have been widely abused and also include drive-by download and even propagation through other forms of malware, for example, Cutwail has been seen to drop Bredolab as a payload and Bredolab has been known to return the favour.
“It is unclear right now whether the botnet has been effectively decapitated or if this only represents a setback to the criminals behind it. The bots remain infected with the malware so if alternative command and control servers exist, then reconfiguration and regrouping remains a possibility.”
A report from eWeek claimed that the Iranian Cyber Army is to sell access to its botnet. Rob Rachwald, director of security strategy at Imperva, claimed that the move is ‘not surprising', as cyber criminals are seeking different sources of revenue and botnet ‘growers' are continuously advertising their services.
He said: “What is interesting in this case is that they were the ones performing the attack. From their point of view, most of their attacks were politically motivated but now they have realised, why not make more money on the side if they already have the infrastructure?
“If they are even so-called ideologists, they could be re-investing this earned black-money to their organisation to proceed with other attacks and develop their resources.”
Alan Bentley, VP international at Lumension, said: “Whilst this is certainly not the first case of malicious code being sold online, with the rise of highly complex attacks like Stuxnet and Zeus, the online hacker shops of old seem like child's play when compared to this new wave of collaborative cyber warfare.
“Cyber criminals are no longer just intent on stealing personal details for a quick cash hit or on sending inconvenient spam emails. They have much bigger prizes in mind, and are creating mechanisms dedicated at corporate espionage and attacking against real-world infrastructures, such as power stations. These attacks are more targeted, more sophisticated and more potent.
“The National Security Strategy's £500 million injection of cash to bolster cyber security efforts is undoubtedly a step in the right direction. But it is not just about the money. As cyber criminal techniques evolve daily, the mindset needs to switch from the approach of old, which focuses on only preventing the known bad, to preventing anything entering the network unless it is known to be good. Only by applying this level of intelligence, can we be confident that our windows are locked tight and our valuable assets safe.”