| Release Date | Oct 27, 2009 |
| Detection Availability | Current Antivirus Definition Database Version: 11.593 | | Description | Visible Symptoms
- Possible firewall alert that an executable is attempting to connect to the internet.
- The fake antivirus program Antivirus Pro 2010 may be installed in the user's computer.
Detailed Analysis
Bredolab is a very widely distributed bot that is used to download and execute one or more malware packages on computers that it has infected. It is closely associated with the distribution of fake antivirus programs, but can also be used to install other malware. After its work has been done, Bredolab remains in the background, occasionally checking in with its control server for further instructions.
Technical Details
Distribution
The Bredolab bot is mainly spread through spam email campaigns. It has no ability to spread directly to other computers. As an example, two emails from a recent campaign are shown below, in Figure 1.
Figure 1: Bredobot spam examples.
|
If the person receiving the email is expecting a package, or works in an office where packages regularly arrive, they probably will get the attachment and unzip it. The unzipped file is about 60 to 70 kilobytes in size, and appears with a Microsoft Excel spreadsheet icon. It is actually an EXE file. When the user tries to open it, the Bredobot installer is executed.
The EXE file is a dropper that installs Bredolab on the victim's system. The installer goes through a constant series of changes. During a period of two weeks that this trojan is being observed, a number of changes have been made on the installer: the number of sections changed from three to four; the order of the sections was rearranged; the section names were also rearranged.
Installation
Phase 1: Bredolab Install
- When the file from the email is executed, it immediately installs the Bredolab bot.
- A 43-kilobyte DLL file is dropped as %System%\sys.dat. This appears to be a temporary file used to set up the main DLL.
- A DLL file with a name made up of random letters is dropped into the System folder. In this example, the name was bhdvgtueyipj.dll. When it is unpacked and installed, the DLL has a size of about 400 kilobytes. This file is identical to sys.dat, except for a block of about 80 bytes in the .data section, and a few hundred kilobytes of appended data.
- The following registry keys are added to set bhdvgtueyipj.dll as a Browser Helper Object (BHO) with the name Microsoft Online Helper!:
- HKLM\SOFTWARE\Classes\CLSID\{0BD2F321-B62A-4AC0-AAC5-F41343F0AB8C}
"Microsoft Online Helper!"
- HKLM\SOFTWARE\Classes\CLSID\{0BD2F321-B62A-4AC0-AAC5-F41343F0AB8C}\InProcServer32
"%System%\bhdvgtueyipj.dll"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD2F321-B62A-4AC0-AAC5-F41343F0AB8C}
"Microsoft Online Helper!"
- The original install file is deleted and the associated process is killed.
- At this point the bot has been installed as a BHO add-on to Internet Explorer. If Internet Explorer was not open during the installation, no further action will be taken until it is opened.
- The installed bot can be seen by looking at Manage Add-ons under the Tools menu of Internet Explorer. A screenshot of this can be seen in Figure 2 below.
Figure 2: The Bredobot Browser Helper Object.
|
Phase 2: Malware Installation
- The purpose of Bredolab is to download and install other malware.
- When Internet Explorer is started the Bredobot BHO that has been previously installed becomes active and connects to port 80 on its control server. The server responds with a "HTTP/1.1 200 OK" message containing the data for the first download.
- When the download is complete, all programs are closed and the computer is rebooted. This reboot is the first visible evidence of Bredobot's presence.
- When Internet Explorer is started again, the Bredobot BHO again connects to the control server, with a slightly different command. The server again responds with a "HTTP/1.1 200 OK" message containing the data for the second download.
- The computer is rebooted again at this point. When it has restarted, the Antivirus Pro 2010 malware package that has been installed begins to warn the victim about virus infections it claims to have found.
Phase 3: Background Operation
- After the initial installation operations are complete, the Bredolab bot becomes inactive. It continues to communicate with its control server whenever Internet Explorer is open.
- If a new version of the Bredolab BHO is available, it will be downloaded and installed. From this, we can infer that other malware can also be downloaded at any time.
Secondary Infections
The main purpose of the versions of Bredolab that are currently being distributed is to install a fake antivirus product called Antivirus Pro 2010. This program initially displays what seems to be an antivirus scan in progress.
Figure 3: Fake antivirus scan.
|
The Windows Security Center control panel applet wscui.cpl has been replaced with a fake one named _scui.cpl. The result can be seen below, in Figure 4. The real Security Center, showing the Firewall and Updates disabled, is on the left. The replacement is on the right. It contains a handy link that the victim can click to pay for an Antivirus Pro 2010 license.
Figure 4: The real Security Center and the fake one.
|
The table below shows the files that are detected by Antivirus Pro 2010 as malware. These files were installed at the same time as Antivirus Pro 2010. All of the files appear to contain random data, with no header of any kind.
|
Files
|
Size
|
Antivirus Pro 2010
|
AV Scan Result
|
|
batava.com
|
19520
|
Adware.IpWins
|
Not detected
|
|
cisemyhoqa.scr
|
15207
|
AceBot
|
Not detected
|
|
elyrojac.bin
|
11425
|
Adlogix
|
Not detected
|
|
erefupaf.vbs
|
15552
|
Adlogix
|
Not detected
|
|
fugiwor.dat
|
19029
|
AceBot
|
Not detected
|
|
hexeb.reg
|
12123
|
AceBot
|
Not detected
|
|
ipem.bin
|
17210
|
PopMonster Description
|
Not detected
|
|
ipyguv.sys
|
19674
|
PerMedia
|
Not detected
|
|
itumevah._dl
|
12088
|
Adware.IpWins
|
Not detected
|
|
juve._sy
|
14962
|
A-Trojan 2.0
|
Not detected
|
|
KYTYM.DLL
|
11393
|
Adlogix
|
Not detected
|
|
omygahowu.scr
|
16767
|
Mpower
|
Not detected
|
|
owojaniwi.dll
|
12226
|
AceBot
|
Not detected
|
|
OZUDO.SCR
|
14228
|
BackWebLite
|
Not detected
|
|
pucuric.com
|
19056
|
Adware.IpWins
|
Not detected
|
|
QAZEBULE._SY
|
12678
|
AceBot
|
Not detected
|
|
roqagafo.ban
|
14302
|
A-Trojan 2.0
|
Not detected
|
|
taco.db
|
10704
|
AceBot
|
Not detected
|
|
tubute._dl
|
10324
|
AceBot
|
Not detected
|
|
udih._sy
|
16226
|
NavExcel
|
Not detected
|
|
uqel.inf
|
13903
|
Msiebho
|
Not detected
|
|
ximyjitemy.db
|
16812
|
Advware.Adstart.b
|
Not detected
|
|
ynyb.db
|
11277
|
Msiebho
|
Not detected
|
|
ysirotypy.scr
|
14745
|
A-Trojan 2.0
|
Not detected
|
|
ywumidoj.vbs
|
14255
|
AceBot
|
Not detected
|
One other piece of malware was added to the system during the installation phase. At some point, the computer was also infected with the ZBot trojan. The main ZBot executable file, sdra64.exe, and other ZBot files, were installed and the Winlogon registry key was changed. But when Bedolab finished installing Antivirus Pro 2010, sdra64.exe had been removed, although the registry key remained.
Conclusion
Bredolab performs a fairly simple task, to download and install one or more malware packages. It has some features not found in traditional downloaders. Most important are its ability to update itself and check for new downloads to install. It may also be able to report some information back to the control server. These are features one should expect to find in a modern downloader.
Bredolab Variations
There are currently two different downloaders that are widely identified as Bredolab. They differ mainly in the way they install themselves on the victim's computer. They can easily be identified by their sizes: the larger executable is about 60k, and the smaller one is 25k to 30k. The larger downloader, which adds itself as a BHO, is the one examined here. The smaller one exploits vulnerabilites to hook itself into the system.
In the current campaign both Bredolab downloaders install AntivirusPro 2010 by downloading and executing the same installer files. This has probably led to some confusion between the two because most of the files added to infected systems are the same.
The downloaders arrive as attachments to very similar spam emails. The naming of the attachments is also very close. Here are some attachment names and sizes from a single day.
|
DHL_package_label_4faa6.exe
|
61440
|
|
DHL_package_label_6f1aa.exe
|
61440
|
|
DHL_package_label_7c497.exe
|
61440
|
|
DHL_package_label_87ec2.exe
|
61440
|
|
DHL_package_label_cffa2.exe
|
61440
|
|
DHL_print_label_4d53f.exe
|
23552
|
|
DHL_print_label_81bc5.exe
|
24064
|
|
DHL_print_label_8a0bd.exe
|
24064
|
|
DHL_print_label_acbe9.exe
|
23552
|
|
DHL_print_label_d8e95.exe
|
23552
|
As of October 27, 2009 the "DHL" campaign is clearly drawing to a close. Spam carrying the small version has stopped and spam with the large version has almost stopped. Many new emails with the small version have been seen. These have "Facebook Password Reset Confirmation" as the subject and attachment names like Facebook_Password_420ca.exe. New spam with the large version have not been seen yet. If they do arrive, it could demonstrate a connection between the two downloaders.
|
Description Last Updated Date: Nov 02, 2009
Reference: ID - 1097244
|