SlideShare una empresa de Scribd logo

Bredolab's Sudden Rise In Prominence Oct 2009

Trend Micro
Trend Micro

Trend Micro threat researcher David Sancho examined BREDOLAB malware after it enjoyed a surge in popularity in August and September of 2009. He found interesting connections to other malware, Russian gangs and well-known botnets.

Tecnología
1 de 9
Descargar para leer sin conexión
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence Trend Micro, Incorporated David Sancho Senior Threat Researcher A Trend Micro White Paper | October 2009
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence Table of ConTenTs inTrOducTiOn ........................................................................................................................................................3 i Think i’ve Seen ThiS BefOre... ........................................................................................................................4 WhY ZeuS? PArTnYOrkA cOnnecTiOnS ..........................................................................................................6 PuTTing The PieceS TOgeTher.........................................................................................................................7 cOncluSiOn............................................................................................................................................................8 SOurceS ..................................................................................................................................................................9 2 | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence InTroduCTIon in August 2009, Trend Micro’s Threat research Team started noticing a sudden spike in the activities of a new malware dubbed “BredOlAB,” which was, apparently, related to the Zeus malware family. Figure 1. BREDOLAB malware’s growth The sudden rise in prominence could not have been random so we decided to follow the BREDOLAB’s sudden rise malware and trace its place of origin and objective. This document is a product of the re- in prominence could not search we conducted. have been random so Trend This documents explores BredOlAB’s inner workings, the economics behind the threat, Micro’s Threat Research and recommendations to mitigate its effects on home users and corporations. Team decided to follow the malware and trace its place of origin and objective. 3 | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence I ThInk I’ve seen ThIs before... BredOlAB is a simple downloading platform programmed by cybercriminals to facilitate BREDOLAB is a simple virus infections and their timely updates. When we began analyzing BredOlAB, we im- downloading platform mediately noted that upon infection, the first thing the malware did was execute a “call programmed by home” routine. The Web communication was encrypted so we could not read its contents. cybercriminals to facilitate Subsequent connections followed albeit with significant differences, which made us think they were not directly related. The differences were substantial so we focused on under- virus infections and their standing the first batch of Web connections. timely updates. We conducted an in-depth analysis and arrived at a very clear conclusion—that the initial Web connections were downloading a series of executable files. These were then run on victims’ machines. We were able to decrypt each of the malicious programs and keep a record to see what kinds of software BredOlAB installed on infected Pcs. BredOlAB has a particular noticeable trait—all the Web connections it made pointed to the same server, which was usually located in russia. The host’s name was hard-coded into the BredOlAB executable, indicating a weak point in the bad guys’ network infra- structure. So if the malicious server is taken down, none of the infected Pcs would be able to continue downloading updates to the malware. After monitoring this particular server for a few weeks, we noticed that it was eventually taken down. however, the BredOlAB group owners was able to successfully move the server name to a different iP address, enabling it to very quickly become active from a dif- ferent location. it is likely that this routine has been taking place for some time now. Other BredOlAB samples we have seen point to other servers, which may hold different malicious programs. The russian server we monitored, for instance, uploaded the follow- ing binaries into infected systems: 1. Rogue antivirus program called Antivirus Pro 2010. This program’s graphical user interface (gui) looks very professional, just like that of a real antivirus program. Once installed, it asks the victim to pay for an “unlicensed” copy of the software in order to clean nonexistent viruses from the machine. Figure 2. Unlicensed Antivirus Pro 2010 GUI 4 | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence rogue antivirus applications always claim to have found viruses in an infected ma- chine even though they never actually scan anything since they are not real. The name of a rogue antivirus program, in fact, changes every few weeks or months. This is a well-known scam. 2. Zeus bot. The second component that is always present in such an infection is the bot agent of a botnet dubbed “Zeus.” The Zeus botnet connects to a command and control (c&c) server through encrypted Web connections and gets further instructions for its information-stealing functionality. This includes monitoring and stealing banking credentials and other login data. in our experience while monitoring the BredOlAB download server, we found that the executable files were always very similar. Though they might vary slightly every now and then, their general contents were pretty consistent. While working with BredOlAB, we discovered that it had a strong similarity with PuSh- BREDOLAB had strong DO in the way it downloads and executes files. PUSHDO is a downloader that also con- similarities with PUSHDO, nects back home through a Web connection and downloads a series of executable files in which led us to believe that one single encrypted chunk. This chunk is then split into smaller pieces that the PuShdO they are probably products downloader runs by either direct execution or injecting the code into a Microsoft OS com- ponent—a technique shared by BredOlAB. Both PuShdO and BredOlAB decide be- of the same programmer or tween these two options by looking at a field that tells the downloader how the execution development team. should take place. PuShdO and BredOlAB both exhibit unusual behaviors, which led us to believe that they are probably products of the same programmer or development team. during our in- vestigation of PuShdO, we found out that its authors were russian and that their product primarily catered to the russian spam market. While searching some underground russian sources, we were able to obtain the source code of the BREDOLAB C&C backend server that served the encrypted executable files. As we suspected, all the comments were in russian, which matched our expectations at this point. Figure 3. Read Me file of the BREDOLAB C&C software installation | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence Why Zeus? ParTnyorka ConneCTIons So what is the exact relationship between BredOlAB and the two programs it down- loads? We started digging a bit more into the possible business relationships that exist among russian underground organizations. Things in the Russian underground are organized by affiliate program or partnyorka. Af- Affiliate programs or filiate programs in both the commercial world and in the underground provide a means for partnyorka in both the Web vendors to create a network of business partners that help them out by redirecting commercial world and in traffic to their own servers. For instance, Some online pharmacy outfits in Russia that sell the underground provide low-cost generic medicines made in lower-paying factories exclusively go to market online. One example of such a shady organization online-rx.biz has an affiliate program that earns a means for Web vendors affiliates 25% of each sale made. They even estimate that each customer’s average order to create a network of is worth 130–160 euros so they only need to sell an average of 31 orders to make their business partners that help first 1,150 euros. them out by redirecting Fake antivirus vendors have similar affiliate programs. The only difference is they do not traffic to their own servers. sell anything, they just scam people. These vendors pay botnet owners sales commissions from the money scam victims dole out. following this logic, this particular BredOlAB group seems to have partnered with a rogue antivirus company and uploads its software to every infected Pc. This way, the group makes money every time a victim falls for the trick and pays for the “premium ver- sion” of a fake antivirus software. The fact that different BredOlAB versions download software from different servers just proves that its developers are selling their software (probably both client and server pro- grams) as an additional source of income. 6 | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence PuTTIng The PIeCes TogeTher When it comes to malware, especially those that originate from russia, the impression is that it is all about business and making money. BredOlAB is no exception. keeping in mind the Russian underground economy and all of its affiliate programs, there seems to be at least two distinct groups of actors in this picture, namely: There seems to be at least 1. Vendors. These refer to the creators of the scam. What they do may be borderline illegal or plainly criminal but they do not expose themselves much. They provide mar- two distinct groups of actors keting tools and sales commissions to the second group. in the picture, namely: 2. Enablers. These try to expand the vendors’ businesses by exposing themselves in • vendors, which refer to the creators exchange for huge sales commissions. They range from spammers who try to sell the of the scam. vendors’ products to botnet creators who infect victims’ systems with the latest scam • enablers who try to expand the software. vendors’ businesses by exposing themselves in exchange for huge in certain cases, there may be a third group of people—developers. These make the soft- commissions. ware sold in the underground market and facilitate the enablers. in certain cases, however, there may BredOlAB is a good example that shows how a criminal ecosystem works. developed be a third group of people involved in and maintained by a group of developers then sold to enablers, BredOlAB furthers a the scam—developers. These make the vendor’s business by distributing fake antivirus software. Apart from that, this legitimate- software sold in the underground market looking malware also infects victims’ systems with a botnet agent to continue subverting and facilitate the enablers. users’ internet connection for other nefarious ends. We can thus surmise that the same group behind our BredOlAB samples is also establishing a Zeus botnet with a very concrete agenda—monetizing stolen data. This same group aims to get money from both techniques—fake antivirus pay-per-install and credential-stealing. The same russian group that developed BredOlAB is quite likely behind a similar mal- ware—PUSHDO. While BREDOLAB focuses more on its fake antivirus affiliation, PUSH- dO builds a spamming platform for criminal groups’ enablers. Both activities—spamming and forceful installation— known in the underground as “loads,” are complementary and work well toward the vendors’ objective of enriching their affiliates while making a lot of money in the process. Although the BredOlAB samples we analyzed came from spam campaigns, their en- ablers mainly infected victims via the Web. They infiltrated victims’ PCs by redirecting their browsers to malicious websites. This was usually done by either putting a malicious link in a legitimate page (e.g., posting malicious links in forums and guest books or hacking legiti- mate pages) or creating a page containing malicious links and making it score very high in search engines so that it appears as a top search result, a technique known as “blackhat search engine optimization (SeO).” 7 | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence ConClusIon in order to avoid being hit but these shady organizations, users should ensure that they The Trend Micro Smart always have the latest versions of their antivirus software of choice running on their Pcs. Protection Network™ if possible, it is also worth considering using security software that makes you a part of a delivers security that is community-based network such as the Trend Micro Smart Protection network™. Smart smarter than conventional Protection network combines unique internet-based technologies with lightweight clients. By checking URLs, emails, and files against continuously updated and correlated threat approaches by blocking the databases in the cloud, customers always have immediate access to the latest protection latest threats before they wherever they connect—from home, within the company network, or on the go. This ap- reach you. Leveraged across proach is particularly effective in dealing with malware that propagate via the Web such as Trend Micro’s solutions BredOlAB and PuShdO. and services, the Smart users who think they may have been affected by malware such as BredOlAB and Protection Network provides PuShdO may also try using a free antivirus tools such as housecall, Trend Micro’s highly stronger protection while popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware. reducing your reliance on time-consuming signature- downloads. 8 | WhiTe PAPer | YOu ScrATch MY BAck...
You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence sourCes • Alice decker, david Sancho, loucif kharouni, Max goncharov, and robert McArdle. (May 22, 2009). “A Study of the Pushdo/cutwail Botnet.” http://us.trendmicro.com/im- peria/md/content/us/pdf/threats/securitylibrary/study_of_pushdo.pdf (retrieved Octo- ber 2009). Trend MicrO™ TREND MICRO INC. Trend Micro, incorporated is a pioneer in secure content and threat 10101 n. de Anza Blvd. management. founded in 1988, Trend Micro provides individuals and cupertino, cA 9014 organizations of all sizes with award-winning security software, hard- ware and services. With headquarters in Tokyo and operations in more uS toll free: 1 +800.228.61 than 30 countries, Trend Micro solutions are sold through corporate and Phone: 1 +408.27.2003 value-added resellers and service providers worldwide. for additional fax: 1 +408.27.2003 information and evaluation copies of Trend Micro products and services, visit our website at www.trendmicro.com. www.trendmicro.com © 2009 by Trend Micro, incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks 9 | WhiTe PAPer | YOu ScrATch MY BAck... or registered trademarks of Trend Micro, incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Recomendados

Foundationsofahealthyrelationship1 110216093737-phpapp02
Foundationsofahealthyrelationship1 110216093737-phpapp02Foundationsofahealthyrelationship1 110216093737-phpapp02
Foundationsofahealthyrelationship1 110216093737-phpapp02kdcsdross
 
FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...
FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...
FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...FGV | Fundação Getulio Vargas
 
Teens&Technology
Teens&TechnologyTeens&Technology
Teens&TechnologyElise C. Cole
 
Dzone
DzoneDzone
DzonePradeeban Kathiravelu, Ph.D.
 
Michael Maddock - Getting ready for angel investment
Michael Maddock - Getting ready for angel investmentMichael Maddock - Getting ready for angel investment
Michael Maddock - Getting ready for angel investmentBizcamp South East
 
Online Campaign
Online CampaignOnline Campaign
Online CampaignTan Ng
 
Wherearethey
WherearetheyWherearethey
WherearetheyD. Scott Miller
 
コマンドライン使いもLibreOffice
コマンドライン使いもLibreOfficeコマンドライン使いもLibreOffice
コマンドライン使いもLibreOfficeKiwamu Okabe
 

Recomendados

Foundationsofahealthyrelationship1 110216093737-phpapp02
Foundationsofahealthyrelationship1 110216093737-phpapp02Foundationsofahealthyrelationship1 110216093737-phpapp02
Foundationsofahealthyrelationship1 110216093737-phpapp02kdcsdross
 
FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...
FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...
FGV / IBRE – Gestão de Pessoas e Complexidade Organizacional: O desafio nos H...FGV | Fundação Getulio Vargas
 
Teens&Technology
Teens&TechnologyTeens&Technology
Teens&TechnologyElise C. Cole
 
Dzone
DzoneDzone
DzonePradeeban Kathiravelu, Ph.D.
 
Michael Maddock - Getting ready for angel investment
Michael Maddock - Getting ready for angel investmentMichael Maddock - Getting ready for angel investment
Michael Maddock - Getting ready for angel investmentBizcamp South East
 
Online Campaign
Online CampaignOnline Campaign
Online CampaignTan Ng
 
Wherearethey
WherearetheyWherearethey
WherearetheyD. Scott Miller
 
コマンドライン使いもLibreOffice
コマンドライン使いもLibreOfficeコマンドライン使いもLibreOffice
コマンドライン使いもLibreOfficeKiwamu Okabe
 
身の回りの圧縮
身の回りの圧縮身の回りの圧縮
身の回りの圧縮Takeshi Fujiwara
 
18 canh dep mua thu tren the gioi (25 nov 11)
18 canh dep mua thu tren the gioi (25 nov 11)18 canh dep mua thu tren the gioi (25 nov 11)
18 canh dep mua thu tren the gioi (25 nov 11)Minh Thich
 
Transformed by You
Transformed by YouTransformed by You
Transformed by YouNoel Hatch
 
Algemene presentatie The Next Level
Algemene presentatie The Next LevelAlgemene presentatie The Next Level
Algemene presentatie The Next LevelThe Next Level
 
Reported speech
Reported speechReported speech
Reported speechgabyamaro
 
Publicidad
PublicidadPublicidad
PublicidadMarta
 
Convocation
Convocation Convocation
Convocation justbeated
 
2011.12 marketing principles
2011.12 marketing principles2011.12 marketing principles
2011.12 marketing principlesStephan Langdon
 
Learning3.0 chicago oct_11
Learning3.0 chicago oct_11Learning3.0 chicago oct_11
Learning3.0 chicago oct_11willyerd1
 
About us story
About us storyAbout us story
About us storyagease
 
Manual estimulacion-prenatal-1210563942438206-9
Manual estimulacion-prenatal-1210563942438206-9Manual estimulacion-prenatal-1210563942438206-9
Manual estimulacion-prenatal-1210563942438206-9Marta
 
CBE Ltd Seamus Mc Hugh
CBE Ltd Seamus Mc HughCBE Ltd Seamus Mc Hugh
CBE Ltd Seamus Mc HughDublingame
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesTrend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeTrend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaTrend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT frameworkTrend Micro
 

Más contenido relacionado

Destacado

18 canh dep mua thu tren the gioi (25 nov 11)
18 canh dep mua thu tren the gioi (25 nov 11)18 canh dep mua thu tren the gioi (25 nov 11)
18 canh dep mua thu tren the gioi (25 nov 11)Minh Thich
 
Transformed by You
Transformed by YouTransformed by You
Transformed by YouNoel Hatch
 
Algemene presentatie The Next Level
Algemene presentatie The Next LevelAlgemene presentatie The Next Level
Algemene presentatie The Next LevelThe Next Level
 
Reported speech
Reported speechReported speech
Reported speechgabyamaro
 
Publicidad
PublicidadPublicidad
PublicidadMarta
 
2011.12 marketing principles
2011.12 marketing principles2011.12 marketing principles
2011.12 marketing principlesStephan Langdon
 
Learning3.0 chicago oct_11
Learning3.0 chicago oct_11Learning3.0 chicago oct_11
Learning3.0 chicago oct_11willyerd1
 
About us story
About us storyAbout us story
About us storyagease
 
Manual estimulacion-prenatal-1210563942438206-9
Manual estimulacion-prenatal-1210563942438206-9Manual estimulacion-prenatal-1210563942438206-9
Manual estimulacion-prenatal-1210563942438206-9Marta
 
CBE Ltd Seamus Mc Hugh
CBE Ltd Seamus Mc HughCBE Ltd Seamus Mc Hugh
CBE Ltd Seamus Mc HughDublingame
 

Destacado (12)

身の回りの圧縮
身の回りの圧縮身の回りの圧縮
身の回りの圧縮
 
18 canh dep mua thu tren the gioi (25 nov 11)
18 canh dep mua thu tren the gioi (25 nov 11)18 canh dep mua thu tren the gioi (25 nov 11)
18 canh dep mua thu tren the gioi (25 nov 11)
 
Transformed by You
Transformed by YouTransformed by You
Transformed by You
 
Algemene presentatie The Next Level
Algemene presentatie The Next LevelAlgemene presentatie The Next Level
Algemene presentatie The Next Level
 
Reported speech
Reported speechReported speech
Reported speech
 
Publicidad
PublicidadPublicidad
Publicidad
 
Convocation
Convocation Convocation
Convocation
 
2011.12 marketing principles
2011.12 marketing principles2011.12 marketing principles
2011.12 marketing principles
 
Learning3.0 chicago oct_11
Learning3.0 chicago oct_11Learning3.0 chicago oct_11
Learning3.0 chicago oct_11
 
About us story
About us storyAbout us story
About us story
 
Manual estimulacion-prenatal-1210563942438206-9
Manual estimulacion-prenatal-1210563942438206-9Manual estimulacion-prenatal-1210563942438206-9
Manual estimulacion-prenatal-1210563942438206-9
 
CBE Ltd Seamus Mc Hugh
CBE Ltd Seamus Mc HughCBE Ltd Seamus Mc Hugh
CBE Ltd Seamus Mc Hugh
 

Más de Trend Micro

Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesTrend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeTrend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaTrend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT frameworkTrend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsTrend Micro
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest TexasTrend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloudTrend Micro
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011 Trend Micro
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 

Más de Trend Micro (20)

Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, Vulnerabilities
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at Large
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in Asia
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 

Último

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Último (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Bredolab's Sudden Rise In Prominence Oct 2009

  • 1. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence Trend Micro, Incorporated David Sancho Senior Threat Researcher A Trend Micro White Paper | October 2009
  • 2. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence Table of ConTenTs inTrOducTiOn ........................................................................................................................................................3 i Think i’ve Seen ThiS BefOre... ........................................................................................................................4 WhY ZeuS? PArTnYOrkA cOnnecTiOnS ..........................................................................................................6 PuTTing The PieceS TOgeTher.........................................................................................................................7 cOncluSiOn............................................................................................................................................................8 SOurceS ..................................................................................................................................................................9 2 | WhiTe PAPer | YOu ScrATch MY BAck...
  • 3. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence InTroduCTIon in August 2009, Trend Micro’s Threat research Team started noticing a sudden spike in the activities of a new malware dubbed “BredOlAB,” which was, apparently, related to the Zeus malware family. Figure 1. BREDOLAB malware’s growth The sudden rise in prominence could not have been random so we decided to follow the BREDOLAB’s sudden rise malware and trace its place of origin and objective. This document is a product of the re- in prominence could not search we conducted. have been random so Trend This documents explores BredOlAB’s inner workings, the economics behind the threat, Micro’s Threat Research and recommendations to mitigate its effects on home users and corporations. Team decided to follow the malware and trace its place of origin and objective. 3 | WhiTe PAPer | YOu ScrATch MY BAck...
  • 4. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence I ThInk I’ve seen ThIs before... BredOlAB is a simple downloading platform programmed by cybercriminals to facilitate BREDOLAB is a simple virus infections and their timely updates. When we began analyzing BredOlAB, we im- downloading platform mediately noted that upon infection, the first thing the malware did was execute a “call programmed by home” routine. The Web communication was encrypted so we could not read its contents. cybercriminals to facilitate Subsequent connections followed albeit with significant differences, which made us think they were not directly related. The differences were substantial so we focused on under- virus infections and their standing the first batch of Web connections. timely updates. We conducted an in-depth analysis and arrived at a very clear conclusion—that the initial Web connections were downloading a series of executable files. These were then run on victims’ machines. We were able to decrypt each of the malicious programs and keep a record to see what kinds of software BredOlAB installed on infected Pcs. BredOlAB has a particular noticeable trait—all the Web connections it made pointed to the same server, which was usually located in russia. The host’s name was hard-coded into the BredOlAB executable, indicating a weak point in the bad guys’ network infra- structure. So if the malicious server is taken down, none of the infected Pcs would be able to continue downloading updates to the malware. After monitoring this particular server for a few weeks, we noticed that it was eventually taken down. however, the BredOlAB group owners was able to successfully move the server name to a different iP address, enabling it to very quickly become active from a dif- ferent location. it is likely that this routine has been taking place for some time now. Other BredOlAB samples we have seen point to other servers, which may hold different malicious programs. The russian server we monitored, for instance, uploaded the follow- ing binaries into infected systems: 1. Rogue antivirus program called Antivirus Pro 2010. This program’s graphical user interface (gui) looks very professional, just like that of a real antivirus program. Once installed, it asks the victim to pay for an “unlicensed” copy of the software in order to clean nonexistent viruses from the machine. Figure 2. Unlicensed Antivirus Pro 2010 GUI 4 | WhiTe PAPer | YOu ScrATch MY BAck...
  • 5. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence rogue antivirus applications always claim to have found viruses in an infected ma- chine even though they never actually scan anything since they are not real. The name of a rogue antivirus program, in fact, changes every few weeks or months. This is a well-known scam. 2. Zeus bot. The second component that is always present in such an infection is the bot agent of a botnet dubbed “Zeus.” The Zeus botnet connects to a command and control (c&c) server through encrypted Web connections and gets further instructions for its information-stealing functionality. This includes monitoring and stealing banking credentials and other login data. in our experience while monitoring the BredOlAB download server, we found that the executable files were always very similar. Though they might vary slightly every now and then, their general contents were pretty consistent. While working with BredOlAB, we discovered that it had a strong similarity with PuSh- BREDOLAB had strong DO in the way it downloads and executes files. PUSHDO is a downloader that also con- similarities with PUSHDO, nects back home through a Web connection and downloads a series of executable files in which led us to believe that one single encrypted chunk. This chunk is then split into smaller pieces that the PuShdO they are probably products downloader runs by either direct execution or injecting the code into a Microsoft OS com- ponent—a technique shared by BredOlAB. Both PuShdO and BredOlAB decide be- of the same programmer or tween these two options by looking at a field that tells the downloader how the execution development team. should take place. PuShdO and BredOlAB both exhibit unusual behaviors, which led us to believe that they are probably products of the same programmer or development team. during our in- vestigation of PuShdO, we found out that its authors were russian and that their product primarily catered to the russian spam market. While searching some underground russian sources, we were able to obtain the source code of the BREDOLAB C&C backend server that served the encrypted executable files. As we suspected, all the comments were in russian, which matched our expectations at this point. Figure 3. Read Me file of the BREDOLAB C&C software installation | WhiTe PAPer | YOu ScrATch MY BAck...
  • 6. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence Why Zeus? ParTnyorka ConneCTIons So what is the exact relationship between BredOlAB and the two programs it down- loads? We started digging a bit more into the possible business relationships that exist among russian underground organizations. Things in the Russian underground are organized by affiliate program or partnyorka. Af- Affiliate programs or filiate programs in both the commercial world and in the underground provide a means for partnyorka in both the Web vendors to create a network of business partners that help them out by redirecting commercial world and in traffic to their own servers. For instance, Some online pharmacy outfits in Russia that sell the underground provide low-cost generic medicines made in lower-paying factories exclusively go to market online. One example of such a shady organization online-rx.biz has an affiliate program that earns a means for Web vendors affiliates 25% of each sale made. They even estimate that each customer’s average order to create a network of is worth 130–160 euros so they only need to sell an average of 31 orders to make their business partners that help first 1,150 euros. them out by redirecting Fake antivirus vendors have similar affiliate programs. The only difference is they do not traffic to their own servers. sell anything, they just scam people. These vendors pay botnet owners sales commissions from the money scam victims dole out. following this logic, this particular BredOlAB group seems to have partnered with a rogue antivirus company and uploads its software to every infected Pc. This way, the group makes money every time a victim falls for the trick and pays for the “premium ver- sion” of a fake antivirus software. The fact that different BredOlAB versions download software from different servers just proves that its developers are selling their software (probably both client and server pro- grams) as an additional source of income. 6 | WhiTe PAPer | YOu ScrATch MY BAck...
  • 7. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence PuTTIng The PIeCes TogeTher When it comes to malware, especially those that originate from russia, the impression is that it is all about business and making money. BredOlAB is no exception. keeping in mind the Russian underground economy and all of its affiliate programs, there seems to be at least two distinct groups of actors in this picture, namely: There seems to be at least 1. Vendors. These refer to the creators of the scam. What they do may be borderline illegal or plainly criminal but they do not expose themselves much. They provide mar- two distinct groups of actors keting tools and sales commissions to the second group. in the picture, namely: 2. Enablers. These try to expand the vendors’ businesses by exposing themselves in • vendors, which refer to the creators exchange for huge sales commissions. They range from spammers who try to sell the of the scam. vendors’ products to botnet creators who infect victims’ systems with the latest scam • enablers who try to expand the software. vendors’ businesses by exposing themselves in exchange for huge in certain cases, there may be a third group of people—developers. These make the soft- commissions. ware sold in the underground market and facilitate the enablers. in certain cases, however, there may BredOlAB is a good example that shows how a criminal ecosystem works. developed be a third group of people involved in and maintained by a group of developers then sold to enablers, BredOlAB furthers a the scam—developers. These make the vendor’s business by distributing fake antivirus software. Apart from that, this legitimate- software sold in the underground market looking malware also infects victims’ systems with a botnet agent to continue subverting and facilitate the enablers. users’ internet connection for other nefarious ends. We can thus surmise that the same group behind our BredOlAB samples is also establishing a Zeus botnet with a very concrete agenda—monetizing stolen data. This same group aims to get money from both techniques—fake antivirus pay-per-install and credential-stealing. The same russian group that developed BredOlAB is quite likely behind a similar mal- ware—PUSHDO. While BREDOLAB focuses more on its fake antivirus affiliation, PUSH- dO builds a spamming platform for criminal groups’ enablers. Both activities—spamming and forceful installation— known in the underground as “loads,” are complementary and work well toward the vendors’ objective of enriching their affiliates while making a lot of money in the process. Although the BredOlAB samples we analyzed came from spam campaigns, their en- ablers mainly infected victims via the Web. They infiltrated victims’ PCs by redirecting their browsers to malicious websites. This was usually done by either putting a malicious link in a legitimate page (e.g., posting malicious links in forums and guest books or hacking legiti- mate pages) or creating a page containing malicious links and making it score very high in search engines so that it appears as a top search result, a technique known as “blackhat search engine optimization (SeO).” 7 | WhiTe PAPer | YOu ScrATch MY BAck...
  • 8. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence ConClusIon in order to avoid being hit but these shady organizations, users should ensure that they The Trend Micro Smart always have the latest versions of their antivirus software of choice running on their Pcs. Protection Network™ if possible, it is also worth considering using security software that makes you a part of a delivers security that is community-based network such as the Trend Micro Smart Protection network™. Smart smarter than conventional Protection network combines unique internet-based technologies with lightweight clients. By checking URLs, emails, and files against continuously updated and correlated threat approaches by blocking the databases in the cloud, customers always have immediate access to the latest protection latest threats before they wherever they connect—from home, within the company network, or on the go. This ap- reach you. Leveraged across proach is particularly effective in dealing with malware that propagate via the Web such as Trend Micro’s solutions BredOlAB and PuShdO. and services, the Smart users who think they may have been affected by malware such as BredOlAB and Protection Network provides PuShdO may also try using a free antivirus tools such as housecall, Trend Micro’s highly stronger protection while popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware. reducing your reliance on time-consuming signature- downloads. 8 | WhiTe PAPer | YOu ScrATch MY BAck...
  • 9. You Scratch My Back... BREDOLAB’s Sudden Rise in Prominence sourCes • Alice decker, david Sancho, loucif kharouni, Max goncharov, and robert McArdle. (May 22, 2009). “A Study of the Pushdo/cutwail Botnet.” http://us.trendmicro.com/im- peria/md/content/us/pdf/threats/securitylibrary/study_of_pushdo.pdf (retrieved Octo- ber 2009). Trend MicrO™ TREND MICRO INC. Trend Micro, incorporated is a pioneer in secure content and threat 10101 n. de Anza Blvd. management. founded in 1988, Trend Micro provides individuals and cupertino, cA 9014 organizations of all sizes with award-winning security software, hard- ware and services. With headquarters in Tokyo and operations in more uS toll free: 1 +800.228.61 than 30 countries, Trend Micro solutions are sold through corporate and Phone: 1 +408.27.2003 value-added resellers and service providers worldwide. for additional fax: 1 +408.27.2003 information and evaluation copies of Trend Micro products and services, visit our website at www.trendmicro.com. www.trendmicro.com © 2009 by Trend Micro, incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks 9 | WhiTe PAPer | YOu ScrATch MY BAck... or registered trademarks of Trend Micro, incorporated. All other product or company names may be trademarks or registered trademarks of their owners.