Bredolab - Severely Injured but not dead

Today started with some good news. The mega botnet known as Bredolab has been taken down.  Kudos to the Dutch police and involved ISPs.  Over the years, Bredolab evolved into a powerful pay per install network.  The bot herders behind it have shown great expertise in spreading their core malware using different infection vectors such as drive by downloads and social engineering.  The sole purpose of Bredolab was to spread itself as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware.

What's happening at the moment? In order to gather the most up to date intelligence, I looked into FireEye's MAX network. There was no doubt that all the known active servers were no longer responding. But surprisingly, I was able to find one CnC server which is fully active at the moment. This CnC server is:

 proobizz.cc

 

nslookup proobizz.cc
Non-authoritative answer:
Name:   proobizz.cc
Address: 109.196.134.41

The whois record for this IP shows its location right in the heart of Russia.

Bredolab

It's a mystery if this server is owned by the same bot herder who was arrested by Dutch police today or is under the control of some other stakeholder.  There is a possibility that this particular CnC domain was simply overlooked during this crackdown and now zombies communicating to this CnC are on auto-pilot. If this is the case then in the absence of the bot herders to control things, there is a good chance that malware connecting to this CnC will continue to obey the last configured command.  The current command being used by this variant is to download a variety of different malware including the infamous TDSS. TDSS is one of the very few botnets that use SSL for their command and control communication.

  Bredolab_tdss

Should we assume this will become another unsuccessful takedown attempt as we saw in case of Pushdo.D a few months ago?  I don't think so, the situation is very different here.  In the case of Pushdo.D , there was a long list of CnC servers out of which some were never taken down. This made it possible for the bot herders behind it to recover after few weeks.  Bredolab doesn't maintain a long list of backup CnC servers. Instead different malware builds come with a small and distinct set of CnC domains.  So I have no doubt that a big portion of this botnet has been dismantled and is never going to recover.

Let's see if authorities take any further action against this left over domain so that we finally see the death of another botnet like we have seen for Srizbi, Rustock.A, Mariposa and Pushdo.B etc. I will continue to update this article in case any more live CnCs are found.  It will also be very interesting to find if, in the coming days, anyone behind this leftover domain starts issuing new instructions.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM