Despite a high-profile takedown last year, the Bredolab botnet created at least 40 variants of malware in February.

According to the MessageLabs Intelligence Report for February 2011 from, the variants of the Bredolab Trojan accounted for at least 10.3 per cent of all email-borne malware detected by MessageLabs Intelligence in February.

The company claimed that despite the takedown of the botnet in October in the Netherlands by LeaseWeb, Bredolab is not dead and techniques previously associated with Bredolab malware have now become more common among other major malware families.

Its intelligence found that in the first two weeks of February, MessageLabs Intelligence identified at least four different polymorphic engines in use by server-side packers that changed the code structure of the Zeus, Bredolab and SpyEye malware to increase the number of variants of each.

Paul Wood, senior analyst of MessageLabs Intelligence at Symantec, said: “It seems these ongoing attacks alternate between what historically have been different malware families. For example, one day would be dedicated to propagating mainly Zeus variants, while another day was dedicated to distributing SpyEye variants.

“By 10th February, these attacks had multiplied further and were being propagated simultaneously with each malware family using its own polymorphic packer to further evade traditional anti-virus detection.

“Considering the technical difficulty of maintaining this number of polymorphic engines and that each evolves quickly to generate such a large number of variants across these three families, this is one of the first times that MessageLabs Intelligence has identified malware collaborating on a technical level to this degree and volume.”

The report also noted that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the internet.

Also, analysis of web security activity showed that 38.9 per cent of malicious domains blocked were new in February, a decrease of 2.2 per cent since January. Additionally, 20.3 per cent of all web-based malware blocked was new in February, a decrease of 2.2 per cent since January. There was an average of 4,098 new malicious websites per day, a decrease of 13.7 per cent since January.