Despite the recent arrest of the Bredolab mastermind in Armenia, a small portion of Bredolab, has been able to survive, according to the FireEye Malware Intelligence Lab.
In a recent report, Atif Mushtaq of FireEye (News - Alert) said that Bredolab is not giving up. Mushtaq found two more active CnC domains, not only alive, but issuing new commands as well. These two domains are: upload-good.net and lodfewpleaser.com
The lab said it started seeing the bot herders issuing new instructions. The lab is pretty sure that the bot herders behind this variant are fully active and probably not the man arrested by the Dutch police.
There can be two possible explanations for this: the Bredolab code was leaked at some point and some other person started using it to build his own botnet – this is not so unusual; or at some point in time, a portion of Bredolab was leased out to some other gang.
No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny. This can also be confirmed from other sources:
Even with this new information, PCWorld reports that the main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers and shut down their communication with infected PCs. Police uploaded their own code to those infected computers, estimated to number as many as 29 million, warning that the computer was infected.
Working with Dutch police, Armenian authorities arrested the 27-year-old man for allegedly controlling Bredolab, PCWorld reports. If he is extradited to the Netherlands and convicted of charges, he could face between four and six years in prison.