The news this week of Bredolab's disappearance marks 'a good year for shutting down botnets'

News by Dan Raywood

The action this week that shut down the Bredolab botnet is welcomed, but some researchers claim that there is more effort needed before all command and control centres disappear.

The action this week that shut down the Bredolab botnet is welcomed, but some researchers claim that there is more effort needed before all command and control centres disappear.

SC Magazine reported this week that the Bredolab botnet was shut down by Dutch police, after it was discovered that the ISP LeaseWeb was being used to host the 30 million-strong botnet.

LeaseWeb security officer Alex De Joode later told SC Magazine that it was hosting the core of the botnet, which was now under the control of the Dutch police who were using it to send an information page to those infected.

F-Secure's chief research officer Mikko Hypponen told SC Magazine that this was not only a success, but that 2010 was a great year for shutting down botnets overall. He said: “The guy who created Zeus is still free but he never broke the law, he created it but never attacked a bank, just gave control to those who do. It is not illegal in Russia to write malware and in Spain it is not illegal to operate a botnet.”

Rik Ferguson, senior security advisor at Trend Micro, asked if Bredolab was dead, dying or simply dormant? Statistics show that there were over 500 binary downloads on Sunday 24th October, just under 400 on Monday 25th and around 200 on Tuesday 26th and Wednesday 27th.

Ferguson said: “The answer is that we do not know, but let's consider the current situation. Many, if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decapitiation been? The statistics show the marked decrease in the number of Bredolab samples collected from a pool of Bredolab command and control servers, this shows clearly the effectiveness of the law enforcement action.

“What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.

“TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let's hope that is not the case with Bredolab.”

Earlier this year the Mariposa botnet was shut down following work by PandaLabs and law enforcement in another major action. Luis Corrons, technical director of PandaLabs, who would later go on to have a personal encounter with some of the botnet users, told SC Magazine that this action was good, but shutting a botnet down will not stop the criminal.

He said: “We saw that with Mariposa. They shut down the botnet and removed the stuff but it is really difficult to find out who is behind it. You can shut down a business with a botnet for a few months but it will come back. This is great news, it has been great with managing the shut down but not enough, we will win some battles.”

Asked if he knew of any further activity with the Mariposa botnet, he said that at the end of July there were arrests in Slovakia when a gang was arrested along with the developer.

Kurt Baumgartner, a senior security researcher at Kaspersky Lab, wrote on the Threatpost blog that the impact of the takedown could be felt far and wide in the anti-malware community, as the Bredolab downloader was known to pull down other common malware such as Pushdo and Cutwail.

He said: “These servers are the backbone of a huge malware distribution network. This is a huge gain for law enforcement and may help them in stopping more than one group.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews