NEWS FROM THE LAB - Tuesday, October 26, 2010

Bredolab Botnet Shut Down Posted by Mikko @ 06:06 GMT

Year 2010 is becoming a good year in shutting down big botnets.

Latest case: Bredolab.

Example of an e-mail distributing Bredolab variantThe Dutch National Crime Squad has announced a major take-down. The people behind the botnet have not been caught, but the servers (hosted in LeaseWeb IP space) have been taken over, effectively shutting down the botnet.

Bredolab is a large family of complicated, polymorphic trojans. They have been distributed via drive-by-downloads and e-mail. Bredolab is known to be connected to e-mail spam campaigns and rogue security products. And the size of the botnet was massive: over 30 million infected computers and close to 150 command & control servers.

Interestingly, the crime squad has announced that they will be sending a warning to infected PCs: "Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection."

So they will probably use the existing botnet infrastructure to send a program to all infected machines, showing them a warning.

This is rarely done because running code on somebody else's computer might be seen as "unauthorized use", possibly making it illegal — although the intentions are obviously good.

Here's a video with more information (Severe warning! It is in Dutch).

Updated to add: The Dutch police are redirecting Bredolab-infected computers to this help page.

Updated to add: A 27-year old man has been arrested in Armenia. He is under investigation for being one of the operators behind Bredolab.