A massive takedown operation conducted by Dutch police and Security Experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.
The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands.
One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus. Cybercriminals have found that Fake Antivirus Programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.
The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.
The infected computers that are communicating with domains appear to have a variant of Bredolab installed. Malware authors frequently have to modify the code in order to avoid detection by antivirus software.
Posts
