14 DAY TRIAL // Following a take down effort orchestrated by Dutch authorities, Bredolab was severely crippled, however, security researchers warn that the botnet still has a fighting chance.
At the beginning of the week, the High Tech Crime Team of the Dutch national police, together with the Dutch Forensic Institute, the Computer Emergency Response Team of the Dutch Government, a security vendor called Fox-IT and LeaseWeb, the largest hosting company in the Netherlands, took offline 143 command and control (CnC) servers used by the Bredolab botnet.
Not only that, but they instructed the army of infected computers to download a special program, that changed the browser's home page to point to a website maintained by the Dutch police, with information about the operation.
Bredolab is a family of trojans primarily used as a malware distribution platform for scareware and other malicious applications.
Cybercriminal gangs paid the Bredolab botnet master, believed to have been arrested in Armenia on Monday evening, to infect compromised computers with their own creations.
The botnet's CnC servers were almost exclusively hosted by a LeaseWeb reseller and were taken down during the Dutch operation, however, "almost" could spell trouble.
Researchers from security vendor FireEye, warned on Tuesday that a server was still operational in Russia, and since then, the company identified two more active ones in Russia and Kazakhstan.
Not only that, but some of these servers have actually issued new commands to a new variant of Bredolab that has very low antivirus detection at the moment.
"I am pretty sure that the bot herders behind this variant are fully active and probably not the guy arrested by the Dutch police," said Atif Mushtaq, a researcher at FireEye Malware Intelligence Lab.
The expert has a possible explanation for this – that the Bredolab source code was leaked at some point and someone else is building custom variants.
"No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny," he concludes.