A Dutch cyber crime unit has disrupted the operation of the Bredolab botnet and arrested an Armenian man believed to be the operator of the global malware distribution hub.
In a statement on Monday, the Dutch Public Ministry said that the country’s High Tech Crime Team (THTC), working in cooperation with local ISPs and the Dutch Computer Emergency Response Team (GOVCERT.nl) disabled infected servers that constituted the command and control network for the Bredolab botnet.
On Tuesday, the Public Ministry said that Armenian authorities had arrested a 27 year old man believed to be the Bredolab mastermind at the airport in Yerevan, Armenia. Bredolab is a Trojan horse program that has been linked to infections by the Gumblar script downloader, a Web based attack tool.
Bredolab infected systems are directly linked to the spread of spam e-mails and malicious file attachments and to identity theft, including banking account compromises and stolen credit cards. At one point, the network numbered more than three million strong and was responsible for 30 million infections and the distribution of 3.6 billion spam e-mails daily.
Following the take-down, infected computers were redirected to a Web page with instructions on removing the Bredolab Trojan.
The spam messages sent out by the network often contained malicious attachments masquerading as “DHL invoices” for thousands of dollars to trick users into opening the malicious attachment, said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.
Dutch authorities had been monitoring the Bredolab operation since the Summer, when hosting firm LeaseWeb notified authorities that some of their servers were being used as the command and control infrastructure for Bredolab. That investigation led to the alleged botmaster, a dual Russian-Armenian citizen, said Wim De Bruin, spokesman for the National Public Prosecutor’s Office in Rotterdam, The Netherlands.
In all, 143 servers were taken offline by LeaseWeb, the Public Office said. Those servers were the core of a global malware distribution hub that encompassed more than just Bredolab, said Baumgartner.
“What ended up getting taken down was really a malware distribution network. Part of that network included what you might package as ‘Bredolab Command and Control Servers’ But the Bredolab controllers would install other pieces of malware that would report back to multiple layers of other proxies,” he said.
As a result, the impact of the takedown could be felt far and wide in the anti malware community, with possible implications for other malware distribution operations. The Bredolab downloader was known to pull down other common malware like Pushdo and Cutwail, Baumgartner said.
The anti malware community and law enforcement in a number or countries had their eyes on the network, in part because of the prolific amounts of malware being distributed and the links between Bredolab and attacks on customers of leading financial services firms, he said.
The action is just the latest high profile and coordinated botnet takedown. In August, researchers and hosting providers identified and disabled a large number of command and control servers used by the Pushdo botnet to distribute spam and malware. In March, Microsoft, working in conjunction with security researchers, took down the Waledec botnet, while a group of researchers dubbed The Mariposa Working Group infiltrated the command and control structure of that botnet, leading authorities in Spain and other countries to move against a gang that operated the illicit bot network.
With one arrest made, the investigation is on going. De Bruin of the National Public Prosecutors Office would not rule out more arrests, as authorities pour over the seized command and control servers and look for business associates who may have been involved distributing the Trojan or profiting from the information that it stole.
“These servers are the backbone of a huge malware distribution network,” said Baumgartner. “This is a huge gain for law enforcement and may help them in stopping more than one group.”
Still, prosecuting the man believed to be the botmaster may present problems. Armenian authorities will not extradite the man, an Armenian national, to the Netherlands, where he would face 4-6 years in prison if convicted on computer crime charges, said De Bruin. That means Dutch authorities will have to try him in Armenia. That country has signed and ratified the Council of Europe’s Convention on Cybercrime, though its unclear what charges -if any – will be brought against the man who was arrested.