Bredo Botnet: Is it Coming Back?

Photo credit: 360b/
Photo credit: 360b/

AppRiver, who clocked the increase, said that “this one was quite unlike anything we’ve seen to this point.” In a blog, the company explained that its data center processed 10 to 12 times the normal amount of traffic on Wednesday – mainly due to messages that its analyst team discovered were designed to deliver a new Bank of America trojan.

“Our security analysts spent some time looking at this virus and found it was being classified by at least one AV vendor as being a Bredo virus,” the company explained. “Running the message through a variety of virus scanners showed that only 11 of 51 antivirus vendors were classifying it as malware.”

The main goal of the virus is to steal information such as banking info or to record keystrokes. AppRiver said that the software may also have abilities to further infect a system by downloading more malware on to the machine.

If it is indeed a Bredo variant, it also has the capability to scale immensely. 

Bredo is perhaps best-known from the BredoLab botnet, which rose to prominence in August 2009. Its main form of propagation was sending malicious emails that included malware attachments that turned the machine into a zombie controlled by the botnet. At its peak, the botnet was capable of sending 3.6 billion viral emails every day. Security researchers estimate that the owner of the botnet made up to $139,000 a month from botnet related activities, including by renting out parts of the botnet to others. In October 2010, however, Dutch law enforcement agents seized control of the central hub for the botnet herder, disrupting the apparatus.

This week’s flare-up obviously upped the ante in terms of volume, but AppRiver said that overall there is a tremendous increase in spikes in the number of incoming messages being sent with viruses attached.

“Over the last month we’ve caught and blocked a set of virus campaigns that use new and novel tactics designed specifically to beat filtering engines,” the company noted. “One common component of all these campaigns is enormous volumes of traffic being sent to data centers, with peaks reaching three or four times normal network traffic.”

This time around, “the sheer volume of the traffic caused some of our customers delays in sending and receiving mail,” it said. “Once we were able to isolate and analyze the malicious messages, we quickly choked them off and mail flow returned to normal.”

Of course, ebbs and flows in spam volume are not new phenomena. Information from Symantec‘s MessageLabs compiled by researcher Brian Krebs shows that global spam volumes tend to fall and spike fairly regularly, from highs of 6 trillion messages sent per month to just below 1 trillion.

“Some of the points…where spam volumes fall precipitously roughly coincide with major disruptive events, such as the disconnection of rogue ISPs McColo Corp. and 3FN, as well as targeted takedowns against major spam botnets, including Bredolab, Rustock and Grum,” he said.

Trend Micro has warned that malware-bearing spam is continuing to increase.

“Even though there may be more complex ways of infecting systems, the use of malware attachments remains constant in the threat landscape,” the company said in a blog. “This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.”

What’s hot on Infosecurity Magazine?