BredoLabs: A Classic Botnet Story

March 14, 2014 | By Kevin Judge

BredoLabs is the name of both a trojan horse program and the largest botnet ever discovered.  The botnet has been broken up, for the most part, but variations of the trojan are still infecting computers around the globe.

A botnet is a network of compromised computers that hackers use for a variety of nefarious purposes. The BredoLab botnet was used for one of the most common and profitable schemes, mass email spamming. Have you ever had an email account that you had to close down because it was so full of junk email? Have you ever wondered where so many emails come from?

In many cases a botnet is the answer and BredoLabs proves how big a problem botnets can become. At its peak it is estimated that the BredoLab network consisted of 30 million computers, controlled without the users consent and usually without their knowledge.  BredoLabs was sending as many as 3 billion junk and infected emails per month! That is a lot of advertisement’s for Viagra knockoffs or cures for baldness!

How did this exactly work?

 The BredoLab operation was essentially the same as for most botnets.  The BredoLab hackers infected innocent web site with their trojan. Most people infected were tricked to click on a link to an infected site in an email and the BredoLab trojan horse program downloaded onto their computer.

The BredoLab trojan is one of the more effective ever distributed. While other hackers have used variations of BredoLab for other purposes, in this case it downloaded and installed the software necessary to take control of the computer. It also installed software to steal userids and passwords to compromise other networks and web sites. The infected computers were controlled by 170 BredoLabs servers, located mostly in Russia and Armenia.

Crime pays, until it doesn’t

 The BredoLab botnet proved exactly how profitable spam email can be. When the network was uncovered and eventually taken down in 2010, the BredoLabs was earning over $100,000 per month, including from charging others to distribute spam email and malware through his network.

In October 2010 Dutch law enforcement authorities announced that they had wrested control of 143 of the servers. This was the beginning of the end of the party for BredoLabs creator, Georg Avanesov – a Russian citizen of Armenian descent.

Simply disconnecting and seizing the BredoLabs server would not guarantee that Avenesov and company could not recreate the network by directing the infected computers to new servers. To prevent that, the Dutch Police did a little fighting fire with fire.  They “infected” the computers on the BredoLabs botnet with a program that, when they opened their browser, redirected users to a government website with instructions on how to remove BredoLab.

Avenesov was arrested shortly after the botnet was taken down.  He admitted to creating the BredoLab Trojan, but claimed others used it to build the botnet.  He was convicted earlier this year in an Armenian court and sentenced to 4 years in prison.

I have to wonder if 4 years is enough of a sentence to deter such crimes, given their enormous profitability. Avenesov is only 29 years old and will be young enough to still enjoy any ill-gotten gains he has hidden. Of course, he will also be tempted to try again!

Protecting ourselves from becoming a victim of the Avenesovs of this world is a never ending battle. There are still portions of the BredoLab network functioning and variations of the trojan circulating around the internet. Not to mention all of the other criminal schemes threatening anyone who connects to a network.

You can start with never clicking on a link in an email unless you are absolutely sure where the email came from.  That is easier said than done. A lot of malicious emails look very legit. I often right click on addresses and link text to check the real address!

Of course, you should make sure that of your computers and your network servers are using aggressive antivirus and firewall systems. That may seem too obvious to mention, but most network breaches occur because not all network devices are protected. That is particularly true for Point of Sale machines, which are not old fashioned cash registers these days. POS systems need to be treated like any other connected device to keep a network safe.

You are only as secure as your weakest link!

Be Sociable, Share!

    Add new comment

    Your name

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>