The Dutch ISP that was hosting the Bredolab botnet has spoken of the investigation that brought the 30 million-strong botnet down.
Yesterday SC Magazine reported that the Dutch ISP LeaseWeb, along with the Dutch Forensic Institute (NFI), internet security company Fox-IT and the Dutch computer emergency response team (GOVCERT.NL), seized and disconnected 143 computer servers from the internet.
In this case, the botnet used servers hired in the Netherlands from a reseller of LeaseWeb, the largest hosting provider in the Netherlands. Talking to SC Magazine, security officer Alex De Joode explained that LeaseWeb is a ‘dedicated hosting provider with 30,000 servers processing 785GB of internet traffic per second'.
He said that the first indication of there being a problem was through a tip from its community outreach programme. De Joode said that this gave a better overview of activity and showed that it was hosting the command and control centre.
He said: “We got this information late in the afternoon and the Dutch police were called. We told them that something was happening on the IP and they found out that it was part of the larger botnet and wanted to investigate. They told us to take the network down but to inform them of any complaints, we said ‘we are happy to help with the botnet, but if you want us to you will need warrants that will shield us from any liability'.”
The Dutch police investigated the network for two months before finally taking it down on Monday 18th October and taking control on Monday of this week (25th October).
De Joode later revealed that during the investigation the controller of Bredolab was discovered to be an Armenian man, who upon learning that the police were seeking him, launched a 10GB denial-of-service attack against LeaseWeb in order that the botnet could not be taken over by anyone else.
However De Joode brushed this off, claiming that as it processes 785GB a second it was a minor threat.
“The Dutch police were in close cooperation and took control, they switched it off but it is still operating but not infecting, when anyone who is infected switches on their computer they are sent to a police website and they will get an update,” he said.
“We are very thankful for the Dutch police for taking down the botnet infrastructure as it makes the internet a whole lot safer. As far as we know the botnet is under police control and 30 million people will not have to worry and it is up to them to disinfect their computers.”
Asked which part of Bredolab LeaseWeb was hosting, De Joode said that the core of the botnet was hosted at LeaseWeb, while the second and third layers were hacked or compromised computers across the world.
He said: “The only thing we know is how long we rented the servers to the reseller (every person who hired more than one server is called a reseller) for six to nine months. We had no relationship with them.”