Dutch police take down Bredolab botnet

Dutch police take down Bredolab botnet

Summary: Authorities in the Netherlands have arrested the suspected mastermind and seized the servers behind the malware-spamming botnet, which was built in layers 'like an onion' for protection

TOPICS: Security

Dutch police have uprooted a large information-stealing botnet known as Bredolab, thought to have infected more than 30 million computers.

The command-and-control server structure for the botnet was taken down on Monday by the Dutch National High Tech Crime Team.

On Monday night, police arrested a 27-year-old Armenian man they believe was the mastermind behind the Bredolab botnet. The arrest took place at Zvartnots International Airport in Yerevan, the capital of Armenia. The man is being held by airport authorities, a spokesman for the Dutch prosecutor's office said on Tuesday.

"In the past few weeks, the [Dutch] national police investigation has tried to trace Bredolab suspects," the spokesman told ZDNet UK. "In the past several days, the main suspect was traced in Russia. Last night, when he arrived at Yerevan [Zvartnots] National Airport, he was arrested."

Read this

Siemens: Stuxnet infected 14 industrial plants

The malware, which targets software used by critical infrastructure companies, has infected industrial systems in Germany, but the UK appears to have escaped

Read more+

Police in the Netherlands have disconnected 143 servers associated with the botnet, the spokesman added. However, he was unable to say how many of the seized machines were being used for command-and-control purposes.

The Bredolab botnet was employed to spam users with Bredolab malware, which contained a Trojan downloader and information-stealing components. The command-and-control servers for Bredolab were administered by a reseller for Dutch hosting company Leaseweb, the Dutch National High Tech Crime Team said in a statement.

Leaseweb discovered it was hosting the command-and-control servers for the botnet in mid-August, the company's security officer Alex de Joode said. As part of a community security outreach programme, Leaseweb provides hosting for security researchers without charge, and in return they investigate the company's networks, de Joode told ZDNet UK.

Unnamed security researchers alerted Leaseweb to the existence of the Bredolab command-and-control servers in the evening. The next morning, the Dutch police contacted Leaseweb and asked that the company keep the servers operational.

"The police decided to investigate, and requested we keep [the servers] running so they could do an in-depth investigation," said de Joode. "Normally we would take down botnet command-and-control servers immediately."

Law enforcement agents started to investigate and found that Bredolab was running "a botnet factory", said de Joode.

"The botnet was like an onion, with layers that were hidden from outside," he added.

The outer layer was a number of ISPs, which connected to hacked servers. In turn, the servers connected via proxies to the command-and-control servers. When the ISPs were notified about the infection, they merely dealt with the second layer of the botnet — the hacked servers, according to de Joode. Meanwhile, more servers were compromised and incorporated into the botnet.

Read this

ITU head: Cyberwar could be 'worse than tsunami'

Hamadoun Toure, the UN agency's secretary-general, has called for a global 'cyber peace treaty' in the context of the 'new world order' of cyberspace

Read more+

"The core of the botnet factory was Leaseweb, but we did not receive any abuse messages," said de Joode. "The outer layers of the onion were expendable — if the hacker lost a server, he would point the command-and-control server at a new one. This was very well hidden."

The second layer of the botnet — the hacked servers — were used for drive-by downloads to install the virus, on top of the spamming operation. The drive-by scheme used a number of sites listed as among the top 100 sites on the web by ranking company Alexa, according to de Joode.

During the takedown operation, the Armenian man made several attempts to wrest back control of the botnet, the Dutch authorities understand. When that failed, police believe he launched a denial-of-service attack against Leaseweb, using 220,000 infected computers.

The Dutch police investigation was aided by the Dutch Forensic Institute (NFI), the Dutch computer emergency response team GovCert.NL, and the internet security company Fox IT.

Fox IT chief executive Ronald Prins said that his company had built a network with the specific intention of capturing and analysing malware from the Bredolab botnet.

"We tried to have ourselves infected," Prins said. "We built ourselves a special technical infrastructure, reverse-engineered the malware, and tried to find out the host and where it connected to the [command-and-control] server."

During the takedown, the Fox network also came under a denial-of-service attack, according to Prins.

Police have now sent messages to all 30 million Bredolab-infected computers informing them that the machines are compromised.

Security company Trend Micro said in a blog post on Tuesday that at least one Bredolab command and control server was still operational.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Whilst it is encouraging to see that cybercrime gangs are being dealt with, it is also important to raise awareness about the Trojans which are circulating. In July alone 40,000 Trojans were reported demonstrating the volume of the potential threats. This news should act as a warning for the criminals involved, however the education of those who could potentially be affected should be seen as a priority. Please read my blog on the financial malware to be aware of here http://bit.ly/cTsliE