Workings of 30 Million Strong Bredolab Botnet Laid Bare

20 Dec 2010
Virus News

Kaspersky Lab presents ‘End of the Line for the Bredolab Botnet?’, an article by malware analyst Alexey Kadiev. The botnet emerged in mid-2009 and comprised some 30 million infected computers all over the world. In October, the Dutch police force’s Cybercrime Department announced the shutdown of 143 Bredolab botnet control servers. Alexey Kadiev’s article reveals both the business models and the malware technologies used to construct a botnet that managed to operate successfully over a prolonged period of time.

Bredolab’s key purpose is to download other malicious programs onto victim computers. One of the botnet’s most distinguishing features was its method of operation: legitimate websites that had been hacked were used to spread the botnet’s payload. Visitors to these websites were redirected to malicious resources which resulted in their computers being infected with Backdoor.Win32.Bredolab. In turn, Bredolab downloads other malicious programs, including a Trojan that steals passwords to FTP accounts. After some time, the website for which the account details were stolen also becomes infected. Using stolen usernames and passwords for FTP accounts some of the website’s contents are downloaded and then uploaded back onto the website having been injected with malicious code from the server. After another user visits the infected site, the process described above begins all over again. The botnet’s self-sustaining capability as described above is no doubt effective, if only for the way that it automated the process of infecting ever more computers. Nevertheless, the cybercriminals continued to come up with new ways of spreading their malicious net ever wider. For example, the malicious code could be embedded into highly popular sites, distributed in spam mail imitating messages from Twitter, YouTube, Amazon, Facebook, Skype etc.

“Due to its complexity, the Bredolab botnet was most likely controlled by more than one person. However, at this point only one cybercriminal has been arrested in connection with this botnet,” says Alexey Kadiev. “It is possible that the other participants in this criminal group are still engaging in these activities, since the scheme that they came up with and put into operation is rather effective.”

Vulnerabilities in website coding can be used to infect a website. In order to minimize the chances that cybercriminals will take advantage of a vulnerability, it is necessary to monitor the software updates released and promptly update website software. It is worth remembering that some services also provide malware code scanning and scanning for unauthorized content changes. For security purposes, it is best to switch off any autosave functionality for FTP passwords and FTP clients. Many programs that steal FTP account passwords, particularly Bredolab’s Trojan-PSW.Win32.Agent.qgg, search for passwords that have been saved on an infected computer. For site administrators, it may be useful to make a backup copy of a website from time to time, including any databases and files that may contain important data, so that data is safe in the event of infection.

The full version of the article is available at