Despite Arrest of Bredolab Mastermind, Infected PCs Downloading Fake Antivirus Software

Despite the recent arrest of the Bredolab mastermind in Armenia, a small portion of Bredolab, has been able to survive, according to the FireEye Malware Intelligence Lab.

In a recent report, Atif Mushtaq of FireEye (News - Alert) said that Bredolab is not giving up. Mushtaq found two more active CnC domains, not only alive, but issuing new commands as well. These two domains are: upload-good.net and lodfewpleaser.com

The lab said it started seeing the bot herders issuing new instructions. The lab is pretty sure that the bot herders behind this variant are fully active and probably not the man arrested by the Dutch police.

There can be two possible explanations for this: the Bredolab code was leaked at some point and some other person started using it to build his own botnet – this is not so unusual; or at some point in time, a portion of Bredolab was leased out to some other gang.

No doubt some of the bot herders are still untouched and committed enough to continue their operations even under this extra scrutiny. This can also be confirmed from other sources:

• The Dutch police are hunting for more criminals behind Bredolab and that this crackdown operation is not over.
• Symantec (News - Alert) was reporting that Bredolab is alive although the malware shown in their article is not the Bredolab FireEye is talking about here, but Sasfis/Oficla (another powerful downloader). It's likely that Bredolab is sending spam to spread Sasfis. So at most there is a PPI or parent/child relationship. Rodel Mendrez from M86 (News - Alert) Security had the same concern and also agrees that what is being shown in Symantec's article is Sasfis.

Even with this new information, PCWorld reports that the main Bredolab botnet appears to have been taken out after Dutch police seized control of 143 command-and-control servers and shut down their communication with infected PCs. Police uploaded their own code to those infected computers, estimated to number as many as 29 million, warning that the computer was infected.

Working with Dutch police, Armenian authorities arrested the 27-year-old man for allegedly controlling Bredolab, PCWorld reports. If he is extradited to the Netherlands and convicted of charges, he could face between four and six years in prison.