Police Take Over Bredolab Malware

The High Tech Crime Team in Holland have taken over the 143 command and control servers that manage a 30 million node botnet based on the Bredolab malware.

…Bredolab was capable of infecting 3 million computers a month. At the end of 2009 it was estimated that 3.6 billion emails, each containing the files needed to infect the system and join it to the Bredolab botnet, were sent daily.

Shortly after the takedown announcement, a 27-year-old Armenian was arrested in connection with the botnet. He was detained at the Yerevan Airport in Armenia [on his way home from Moscow]. It’s reported that he had tried to regain control of the botnet, and when the attempts failed, he used 220,000 systems to launch an attack against LeaseWeb. The DDoS failed when the servers [in Paris] were pulled from the Web.

Bredolab also spread by looking for Web server passwords and then installing an infection kit on Web pages.

The above quote is from the Tech Herald, which also makes note of the fact that the majority of command and control servers for botnets are actually hosted in the US. Botnet administrators might live in another country from their servers, or they might not. The Tech Herald calls it an ISP “shame” inside American borders.

The Dutch Police action already might seem like a big step for fighting botnets. Yet that is not the end of the story. It just gets more controversial from here. They also used their new found control of the botnet to update infected systems and redirect their browsers to a warning page on the Police website. Would you believe this page is real?

Ironic that the bottom of the page just has a link called “More information”. Would you click on the link? There is scant information to prove this page is authentic. It should be hard to trust this if you have never before read pages from the Dutch Police and their HTCT.

Although some who are infected may appreciate hearing from the police that their computer has malware (cue image of woman tied to railroad tracks) the police action seems aggressive and definitely breaks new ground. I wonder whether victims will see this as a public service saving them from even greater disaster or as a breach of trust and unnecessary risk.

Do the police justify moving from takedown to control and command of a botnet as necessary — quick action in the face of imminent harm? Maybe it will prove to be the most effective way to educate users and prevent reinfection.

It is difficult to say victims could ever be worse off when controlled by Dutch police instead of the former Botnet administrator. The man accused and arrested clearly had malicious intent. Then again police abuse and corruption is not totally fiction.

I am tempted to compare the situation with a non-technology rescue operation. Victims first end up in the care of a rescue team before being released. The problem with technology, however, is the abuse of the situation by those in control is far less clear than the physical world. It therefore makes sense to address the tough questions ahead of time. The Dutch victims should be able to review police rules of engagement such as their procedure and policy. Victims should know what other actions the police may take or their protection from abuse, in other words, now that they are in something akin to “safe custody”.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.