Bredolab Massively Infects Machines Through PDF And SWF Files, Makes Into Top Ten Threats List
ESET have issued a press release concerning Win32/TrojanDownloader.Bredolab.AA, which made the top ten threat listing in June ThreatSense.Net® report.
The Bredolab trojan is the top-scoring threat in the Czech Republic and Slovakia, but also scoring high in other European countries. It appears in the Top 5 list of threats in Austria, Poland, Turkey; in the Top 10 in Bulgaria, the United Kingdom, Sweden, Belgium, Russia and Germany; in the Top 20 in the Ukraine and Italy, and in the Top 40 in France. In Ireland it has climbed from 40th place into the Top 15.
This is a class of application that is intended to act as an intermediary to the infective process. The label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the malicious executable is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon. There is a great deal of Bredolab activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. Indeed, nowadays it pays to keep an eye on new patches for any applications and utilities you use. Hopefully, Adobe’s new patching mechanisms will help to reduce the impact of these exploits in the longer term.
When a downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may well make changes to the system such as those described above in order to increase its chances of doing so successfully. There have also been some cases when Bredolab Trojan was downloaded by other downloaders in the Win32/TrojanDownloader.FakeAlert family, demonstrating a connection to rogue security application malware.
Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases.
The use of file formats such as PDF which most users think of as trustworthy is not a new tactic: in fact, like other document formats such as those used by Microsoft Office, they’re commonly used in targeted phishing attacks. However, the noticeable rise in Bredolab detections, especially in Europe, demonstrates that it is extremely active at the moment.
Users should, as always, take care when opening e-mail attachments and exercise caution while browsing the web, but they should also be sure to keep up with security patches to application software.
Credit: ESET ThreatBlog
More on CyberInsecure:
Posts
March 18th, 2010 at 4:02 pm
Thanks for the info. Do you know how to get rid of it?
March 18th, 2010 at 5:50 pm
john o’leary: Use one of the leading anti-virus products and scan your entire hard drive, preferably by using a bootable CD. To be sure, use at least 2 different products from different vendors.
After removal, monitor the system for any suspicious online activity for a while.
If there are backups, a much easier/faster solution would be formatting and installing the OS from scratch.