Dutch police have uprooted a large information-stealing botnet known as Bredolab, thought to have infected more than 30 million computers.
The command-and-control server structure for the botnet was taken down on Monday by the Dutch National High Tech Crime Team.
On Monday night, police arrested a 27-year-old Armenian man they believe was the mastermind behind the Bredolab botnet. The arrest took place at Zvartnots International Airport in Yerevan, the capital of Armenia. The man is being held by airport authorities, a spokesman for the Dutch prosecutor's office said on Tuesday.
"In the past few weeks, the [Dutch] national police investigation has tried to trace Bredolab suspects," the spokesman told ZDNet UK. "In the past several days, the main suspect was traced in Russia. Last night, when he arrived at Yerevan [Zvartnots] National Airport, he was arrested."
Police in the Netherlands have disconnected 143 servers associated with the botnet, the spokesman added. However, he was unable to say how many of the seized machines were being used for command-and-control purposes.
The Bredolab botnet was employed to spam users with Bredolab malware, which contained a Trojan downloader and information-stealing components. The command-and-control servers for Bredolab were administered by a reseller for Dutch hosting company Leaseweb, the Dutch National High Tech Crime Team said in a statement.
Leaseweb discovered it was hosting the command-and-control servers for the botnet in mid-August, the company's security officer Alex de Joode said. As part of a community security outreach programme, Leaseweb provides hosting for security researchers without charge, and in return they investigate the company's networks, de Joode told ZDNet UK.
Unnamed security researchers alerted Leaseweb to the existence of the Bredolab command-and-control servers in the evening. The next morning, the Dutch police contacted Leaseweb and asked that the company keep the servers operational.
"The police decided to investigate, and requested we keep [the servers] running so they could do an in-depth investigation," said de Joode. "Normally we would take down botnet command-and-control servers immediately."
Law enforcement agents started to investigate and found that Bredolab was running "a botnet factory", said de Joode.
"The botnet was like an onion, with layers that were hidden from outside," he added.
The outer layer was a number of ISPs, which connected to hacked servers. In turn, the servers connected via proxies to the command-and-control servers. When the ISPs were notified about the infection, they merely dealt with the second layer of the botnet — the hacked servers, according to de Joode. Meanwhile, more servers were compromised and incorporated into the botnet.
"The core of the botnet factory was Leaseweb, but we did not receive any abuse messages," said de Joode. "The outer layers of the onion were expendable — if the hacker lost a server, he would point the command-and-control server at a new one. This was very well hidden."
The second layer of the botnet — the hacked servers — were used for drive-by downloads to install the virus, on top of the spamming operation. The drive-by scheme used a number of sites listed as among the top 100 sites on the web by ranking company Alexa, according to de Joode.
During the takedown operation, the Armenian man made several attempts to wrest back control of the botnet, the Dutch authorities understand. When that failed, police believe he launched a denial-of-service attack against Leaseweb, using 220,000 infected computers.
The Dutch police investigation was aided by the Dutch Forensic Institute (NFI), the Dutch computer emergency response team GovCert.NL, and the internet security company Fox IT.
Fox IT chief executive Ronald Prins said that his company had built a network with the specific intention of capturing and analysing malware from the Bredolab botnet.
"We tried to have ourselves infected," Prins said. "We built ourselves a special technical infrastructure, reverse-engineered the malware, and tried to find out the host and where it connected to the [command-and-control] server."
During the takedown, the Fox network also came under a denial-of-service attack, according to Prins.
Police have now sent messages to all 30 million Bredolab-infected computers informing them that the machines are compromised.
Security company Trend Micro said in a blog post on Tuesday that at least one Bredolab command and control server was still operational.