Announcement

Collapse
No announcement yet.

Dutch Team Up With Armenia For Bredolab Botnet Take Down

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dutch Team Up With Armenia For Bredolab Botnet Take Down

    DUTCH TEAM UP WITH ARMENIA FOR BREDOLAB BOTNET TAKE DOWN
    Jeremy Kirk

    Computerworld
    http://www.computerworld.com/s/article/9193080/Dutch_team_up_with_Armenia_for_Bredolab_botnet_tak e_down?taxonomyId=142
    Oct 26 2010

    October 26, 2010 09:19 AM ET.IDG News Service - Armenian authorities
    arrested a 27-year-old man on Tuesday on suspicion of running a
    large botnet that was dismantled after a unique take-down operation
    by Dutch law enforcement and computer security experts on Monday.

    Dutch authorities said they seized dozens of servers used to control
    the Bredolab botnet, estimated to have infected millions of computers
    worldwide.

    Bredolab is a type of malicious software program that can steal
    login and password details, log keystrokes, and steal any data from
    an infected computer. The Dutch High Tech Crime Team, which is part
    of the National Crime Squad, began investigating the botnet over the
    summer, according to a press release issued on Monday.

    The Bredolab botnet was capable of infecting up to 3 million computers
    per month. By the end of last year, it was estimated that 3.6 billion
    spam e-mails were sent out daily containing the Bredolab malware,
    according to the High Tech Crime Team.

    The team said it has disconnected and seized 143 servers used for
    Bredolab, working with the Dutch Forensic Institute, Govcert.nl,
    the Dutch computer emergency response team, and the security vendor
    Fox IT. The 143 servers were part of the network run by LeaseWeb,
    the largest hosting provider in the Netherlands, and had been hired
    through one of LeaseWeb's resellers.

    The Armenian man was tracked down in a joint effort between Fox IT,
    which is based in the Netherlands, and Dutch law enforcement. The
    man is suspected of renting computers that had been infected with
    Bredolab to cybercrime players in other countries, said Ronald Prins,
    founder of Fox IT.

    For example, a cybercriminal in Spain could rent 100,000 machines
    infected with Bredolab, then upload their own specific malicious
    software program to those machines, such as the Zeus online banking
    malware, Prins said.

    The Armenian man had constructed a massive botnet, at one point
    infecting up to 29 million computers in countries including Italy,
    Spain, South Africa, the U.S. and the U.K. The Dutch police wanted
    to disrupt and shut down Bredolab.

    "We wanted to take down the botnet," Prins said. "What we also
    wanted to do was make sure the botnet wouldn't switch over to other
    infrastructure under his control."

    The Dutch police decided to use a tactic they have apparently used
    before, taking over the computers infected with Bredolab and directing
    them to servers not under the control of the Armenian. Fox IT helped
    with that by uploading a "good" bot developed by police to those PCs,
    Prins said.

    The action started about 2 p.m. CET on Monday. Upon opening their Web
    browser, people with computers infected with Bredolab are now being
    redirected to a website set up by Govcert.nl, the Computer Emergency
    Response Team for the Dutch government. The Web page, written in
    English, warns people that their computer is infected and includes
    instructions for how people can remove Bredolab.

    So far, at least 100,000 computers have displayed the Web page, which
    also has a link where people can file a complaint about Bredolab. So
    far, 55 people have filled out the complaint form, according to the
    Dutch National Prosecutor's Office.

    The action by the Dutch authorities represents a bold move, as
    infecting anyone's computer -- whether it's with a "good" bot or a
    malicious one -- is likely against the law in many countries.

    When the Armenian -- or whoever controlled Bredolab -- noticed that
    the botnet was being taken over, a distributed denial-of-service
    attack was launched against the infrastructure used by investigators,
    Prins said. But it didn't disrupt the botnet takeover.

    "At that point, I don't think it was clear to him that the police
    were actually taking over," Prins said.

    Investigators were able to trace Bredolab's controller to Armenia,
    which resulted in the arrest. Botnet operators are very smart, but
    they need to make at least 20 evasive steps in order to stay anonymous,
    Prins said.

    "We only need one mistake to catch him," he said.




    From: A. Papazian
Working...
X