DUTCH TEAM UP WITH ARMENIA FOR BREDOLAB BOTNET TAKE DOWN
Jeremy Kirk
Computerworld
http://www.computerworld.com/s/article/9193080/Dutch_team_up_with_Armenia_for_Bredolab_botnet_tak e_down?taxonomyId=142
Oct 26 2010
October 26, 2010 09:19 AM ET.IDG News Service - Armenian authorities
arrested a 27-year-old man on Tuesday on suspicion of running a
large botnet that was dismantled after a unique take-down operation
by Dutch law enforcement and computer security experts on Monday.
Dutch authorities said they seized dozens of servers used to control
the Bredolab botnet, estimated to have infected millions of computers
worldwide.
Bredolab is a type of malicious software program that can steal
login and password details, log keystrokes, and steal any data from
an infected computer. The Dutch High Tech Crime Team, which is part
of the National Crime Squad, began investigating the botnet over the
summer, according to a press release issued on Monday.
The Bredolab botnet was capable of infecting up to 3 million computers
per month. By the end of last year, it was estimated that 3.6 billion
spam e-mails were sent out daily containing the Bredolab malware,
according to the High Tech Crime Team.
The team said it has disconnected and seized 143 servers used for
Bredolab, working with the Dutch Forensic Institute, Govcert.nl,
the Dutch computer emergency response team, and the security vendor
Fox IT. The 143 servers were part of the network run by LeaseWeb,
the largest hosting provider in the Netherlands, and had been hired
through one of LeaseWeb's resellers.
The Armenian man was tracked down in a joint effort between Fox IT,
which is based in the Netherlands, and Dutch law enforcement. The
man is suspected of renting computers that had been infected with
Bredolab to cybercrime players in other countries, said Ronald Prins,
founder of Fox IT.
For example, a cybercriminal in Spain could rent 100,000 machines
infected with Bredolab, then upload their own specific malicious
software program to those machines, such as the Zeus online banking
malware, Prins said.
The Armenian man had constructed a massive botnet, at one point
infecting up to 29 million computers in countries including Italy,
Spain, South Africa, the U.S. and the U.K. The Dutch police wanted
to disrupt and shut down Bredolab.
"We wanted to take down the botnet," Prins said. "What we also
wanted to do was make sure the botnet wouldn't switch over to other
infrastructure under his control."
The Dutch police decided to use a tactic they have apparently used
before, taking over the computers infected with Bredolab and directing
them to servers not under the control of the Armenian. Fox IT helped
with that by uploading a "good" bot developed by police to those PCs,
Prins said.
The action started about 2 p.m. CET on Monday. Upon opening their Web
browser, people with computers infected with Bredolab are now being
redirected to a website set up by Govcert.nl, the Computer Emergency
Response Team for the Dutch government. The Web page, written in
English, warns people that their computer is infected and includes
instructions for how people can remove Bredolab.
So far, at least 100,000 computers have displayed the Web page, which
also has a link where people can file a complaint about Bredolab. So
far, 55 people have filled out the complaint form, according to the
Dutch National Prosecutor's Office.
The action by the Dutch authorities represents a bold move, as
infecting anyone's computer -- whether it's with a "good" bot or a
malicious one -- is likely against the law in many countries.
When the Armenian -- or whoever controlled Bredolab -- noticed that
the botnet was being taken over, a distributed denial-of-service
attack was launched against the infrastructure used by investigators,
Prins said. But it didn't disrupt the botnet takeover.
"At that point, I don't think it was clear to him that the police
were actually taking over," Prins said.
Investigators were able to trace Bredolab's controller to Armenia,
which resulted in the arrest. Botnet operators are very smart, but
they need to make at least 20 evasive steps in order to stay anonymous,
Prins said.
"We only need one mistake to catch him," he said.
From: A. Papazian
Jeremy Kirk
Computerworld
http://www.computerworld.com/s/article/9193080/Dutch_team_up_with_Armenia_for_Bredolab_botnet_tak e_down?taxonomyId=142
Oct 26 2010
October 26, 2010 09:19 AM ET.IDG News Service - Armenian authorities
arrested a 27-year-old man on Tuesday on suspicion of running a
large botnet that was dismantled after a unique take-down operation
by Dutch law enforcement and computer security experts on Monday.
Dutch authorities said they seized dozens of servers used to control
the Bredolab botnet, estimated to have infected millions of computers
worldwide.
Bredolab is a type of malicious software program that can steal
login and password details, log keystrokes, and steal any data from
an infected computer. The Dutch High Tech Crime Team, which is part
of the National Crime Squad, began investigating the botnet over the
summer, according to a press release issued on Monday.
The Bredolab botnet was capable of infecting up to 3 million computers
per month. By the end of last year, it was estimated that 3.6 billion
spam e-mails were sent out daily containing the Bredolab malware,
according to the High Tech Crime Team.
The team said it has disconnected and seized 143 servers used for
Bredolab, working with the Dutch Forensic Institute, Govcert.nl,
the Dutch computer emergency response team, and the security vendor
Fox IT. The 143 servers were part of the network run by LeaseWeb,
the largest hosting provider in the Netherlands, and had been hired
through one of LeaseWeb's resellers.
The Armenian man was tracked down in a joint effort between Fox IT,
which is based in the Netherlands, and Dutch law enforcement. The
man is suspected of renting computers that had been infected with
Bredolab to cybercrime players in other countries, said Ronald Prins,
founder of Fox IT.
For example, a cybercriminal in Spain could rent 100,000 machines
infected with Bredolab, then upload their own specific malicious
software program to those machines, such as the Zeus online banking
malware, Prins said.
The Armenian man had constructed a massive botnet, at one point
infecting up to 29 million computers in countries including Italy,
Spain, South Africa, the U.S. and the U.K. The Dutch police wanted
to disrupt and shut down Bredolab.
"We wanted to take down the botnet," Prins said. "What we also
wanted to do was make sure the botnet wouldn't switch over to other
infrastructure under his control."
The Dutch police decided to use a tactic they have apparently used
before, taking over the computers infected with Bredolab and directing
them to servers not under the control of the Armenian. Fox IT helped
with that by uploading a "good" bot developed by police to those PCs,
Prins said.
The action started about 2 p.m. CET on Monday. Upon opening their Web
browser, people with computers infected with Bredolab are now being
redirected to a website set up by Govcert.nl, the Computer Emergency
Response Team for the Dutch government. The Web page, written in
English, warns people that their computer is infected and includes
instructions for how people can remove Bredolab.
So far, at least 100,000 computers have displayed the Web page, which
also has a link where people can file a complaint about Bredolab. So
far, 55 people have filled out the complaint form, according to the
Dutch National Prosecutor's Office.
The action by the Dutch authorities represents a bold move, as
infecting anyone's computer -- whether it's with a "good" bot or a
malicious one -- is likely against the law in many countries.
When the Armenian -- or whoever controlled Bredolab -- noticed that
the botnet was being taken over, a distributed denial-of-service
attack was launched against the infrastructure used by investigators,
Prins said. But it didn't disrupt the botnet takeover.
"At that point, I don't think it was clear to him that the police
were actually taking over," Prins said.
Investigators were able to trace Bredolab's controller to Armenia,
which resulted in the arrest. Botnet operators are very smart, but
they need to make at least 20 evasive steps in order to stay anonymous,
Prins said.
"We only need one mistake to catch him," he said.
From: A. Papazian