This application requires Javascript for optimal performance.

W32/Bredolab.fam!tr - Released Oct 27, 2009 - Last Updated Nov 02, 2009

Detailed Analysis


Bredolab is a very widely distributed bot that is used to download and execute one or more malware packages on computers that it has infected. It is closely associated with the distribution of fake antivirus programs, but can also be used to install other malware. After its work has been done, Bredolab remains in the background, occasionally checking in with its control server for further instructions.


Technical Details

Distribution

The Bredolab bot is mainly spread through spam email campaigns. It has no ability to spread directly to other computers. As an example, two emails from a recent campaign are shown below, in Figure 1.



Figure 1: Bredobot spam examples.

If the person receiving the email is expecting a package, or works in an office where packages regularly arrive, they probably will get the attachment and unzip it. The unzipped file is about 60 to 70 kilobytes in size, and appears with a Microsoft Excel spreadsheet icon. It is actually an EXE file. When the user tries to open it, the Bredobot installer is executed.

The EXE file is a dropper that installs Bredolab on the victim's system. The installer goes through a constant series of changes. During a period of two weeks that this trojan is being observed, a number of changes have been made on the installer: the number of sections changed from three to four; the order of the sections was rearranged; the section names were also rearranged.


Installation

Phase 1: Bredolab Install

  • When the file from the email is executed, it immediately installs the Bredolab bot.

  • A 43-kilobyte DLL file is dropped as %System%\sys.dat. This appears to be a temporary file used to set up the main DLL.

  • A DLL file with a name made up of random letters is dropped into the System folder. In this example, the name was bhdvgtueyipj.dll. When it is unpacked and installed, the DLL has a size of about 400 kilobytes. This file is identical to sys.dat, except for a block of about 80 bytes in the .data  section, and a few hundred kilobytes of appended data.

  • The following registry keys are added to set bhdvgtueyipj.dll  as a Browser Helper Object (BHO) with the name Microsoft Online Helper!:

    • HKLM\SOFTWARE\Classes\CLSID\{0BD2F321-B62A-4AC0-AAC5-F41343F0AB8C}
         "Microsoft Online Helper!"

    • HKLM\SOFTWARE\Classes\CLSID\{0BD2F321-B62A-4AC0-AAC5-F41343F0AB8C}\InProcServer32
         "%System%\bhdvgtueyipj.dll"

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD2F321-B62A-4AC0-AAC5-F41343F0AB8C}
         "Microsoft Online Helper!"

  • The original install file is deleted and the associated process is killed.

  • At this point the bot has been installed as a BHO add-on to Internet Explorer. If Internet Explorer was not open during the installation, no further action will be taken until it is opened.

  • The installed bot can be seen by looking at Manage Add-ons  under the Tools  menu of Internet Explorer. A screenshot of this can be seen in Figure 2 below.



    Figure 2: The Bredobot Browser Helper Object.

Phase 2: Malware Installation

  • The purpose of Bredolab is to download and install other malware.

  • When Internet Explorer is started the Bredobot BHO that has been previously installed becomes active and connects to port 80 on its control server. The server responds with a "HTTP/1.1 200 OK" message containing the data for the first download.

  • When the download is complete, all programs are closed and the computer is rebooted. This reboot is the first visible evidence of Bredobot's presence.

  • When Internet Explorer is started again, the Bredobot BHO again connects to the control server, with a slightly different command. The server again responds with a "HTTP/1.1 200 OK" message containing the data for the second download.

  • The computer is rebooted again at this point. When it has restarted, the Antivirus Pro 2010  malware package that has been installed begins to warn the victim about virus infections it claims to have found.

Phase 3: Background Operation

  • After the initial installation operations are complete, the Bredolab bot becomes inactive. It continues to communicate with its control server whenever Internet Explorer is open.

  • If a new version of the Bredolab BHO is available, it will be downloaded and installed. From this, we can infer that other malware can also be downloaded at any time.

Secondary Infections

The main purpose of the versions of Bredolab that are currently being distributed is to install a fake antivirus product called Antivirus Pro 2010. This program initially displays what seems to be an antivirus scan in progress.



Figure 3: Fake antivirus scan.
The Windows Security Center control panel applet wscui.cpl  has been replaced with a fake one named _scui.cpl. The result can be seen below, in Figure 4. The real Security Center, showing the Firewall and Updates disabled, is on the left. The replacement is on the right. It contains a handy link that the victim can click to pay for an Antivirus Pro 2010  license.



Figure 4: The real Security Center and the fake one.

The table below shows the files that are detected by Antivirus Pro 2010  as malware. These files were installed at the same time as Antivirus Pro 2010. All of the files appear to contain random data, with no header of any kind.

Files Size Antivirus Pro 2010 AV Scan Result
batava.com 19520 Adware.IpWins Not detected
cisemyhoqa.scr 15207 AceBot Not detected
elyrojac.bin 11425 Adlogix Not detected
erefupaf.vbs 15552 Adlogix Not detected
fugiwor.dat 19029 AceBot Not detected
hexeb.reg 12123 AceBot Not detected
ipem.bin 17210 PopMonster Description Not detected
ipyguv.sys 19674 PerMedia Not detected
itumevah._dl 12088 Adware.IpWins Not detected
juve._sy 14962 A-Trojan 2.0 Not detected
KYTYM.DLL 11393 Adlogix Not detected
omygahowu.scr 16767 Mpower Not detected
owojaniwi.dll 12226 AceBot Not detected
OZUDO.SCR 14228 BackWebLite Not detected
pucuric.com 19056 Adware.IpWins Not detected
QAZEBULE._SY 12678 AceBot Not detected
roqagafo.ban 14302 A-Trojan 2.0 Not detected
taco.db 10704 AceBot Not detected
tubute._dl 10324 AceBot Not detected
udih._sy 16226 NavExcel Not detected
uqel.inf 13903 Msiebho Not detected
ximyjitemy.db 16812 Advware.Adstart.b Not detected
ynyb.db 11277 Msiebho Not detected
ysirotypy.scr 14745 A-Trojan 2.0 Not detected
ywumidoj.vbs 14255 AceBot Not detected


One other piece of malware was added to the system during the installation phase. At some point, the computer was also infected with the ZBot trojan. The main ZBot executable file, sdra64.exe, and other ZBot files, were installed and the Winlogon  registry key was changed. But when Bedolab finished installing Antivirus Pro 2010, sdra64.exe  had been removed, although the registry key remained.


Conclusion

Bredolab performs a fairly simple task, to download and install one or more malware packages. It has some features not found in traditional downloaders. Most important are its ability to update itself and check for new downloads to install. It may also be able to report some information back to the control server. These are features one should expect to find in a modern downloader.


Bredolab Variations

There are currently two different downloaders that are widely identified as Bredolab. They differ mainly in the way they install themselves on the victim's computer. They can easily be identified by their sizes: the larger executable is about 60k, and the smaller one is 25k to 30k. The larger downloader, which adds itself as a BHO, is the one examined here. The smaller one exploits vulnerabilites to hook itself into the system.

In the current campaign both Bredolab downloaders install AntivirusPro 2010  by downloading and executing the same installer files. This has probably led to some confusion between the two because most of the files added to infected systems are the same.

The downloaders arrive as attachments to very similar spam emails. The naming of the attachments is also very close. Here are some attachment names and sizes from a single day.

DHL_package_label_4faa6.exe      61440 
DHL_package_label_6f1aa.exe       61440
DHL_package_label_7c497.exe       61440
DHL_package_label_87ec2.exe       61440
DHL_package_label_cffa2.exe       61440
DHL_print_label_4d53f.exe         23552
DHL_print_label_81bc5.exe         24064
DHL_print_label_8a0bd.exe         24064
DHL_print_label_acbe9.exe         23552
DHL_print_label_d8e95.exe         23552

As of October 27, 2009 the "DHL" campaign is clearly drawing to a close. Spam carrying the small version has stopped and spam with the large version has almost stopped. Many new emails with the small version have been seen. These have "Facebook Password Reset Confirmation" as the subject and attachment names like Facebook_Password_420ca.exe. New spam with the large version have not been seen yet. If they do arrive, it could demonstrate a connection between the two downloaders.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1097244