RSA Admin

Bredolab Takedown Just the tip of the Iceberg

Blog Post created by RSA Admin Employee on Aug 22, 2012



Recent reports from various sources in the security industry show that a large takedown of servers associated with the “Bredolab” trojan occurred within the past few weeks. While most of the reports have focused around the idea that this infrastructure was solely related to the command and control of Bredolab, our research shows that these servers were used as an all-purpose hosting infrastructure for criminal activity.


This criminal system came to our attention in July 2010, when NetWitness analysts were asked to investigate a hacked wordpress blog.


We found that the following obfuscated script had been injected into all .html and php pages on the site:



When decoded, this script created a redirect to the following location:




Further investigation revealed an injection of the script into victim webpages via FTP:



These IPs all connected to the victim website within a 20-minute period on May 8th, and when plotted on a map, it becomes obvious that this is likely a botnet.



Down the Rabbit-hole


Once we established the source of the website compromise, we began back-tracking into the criminal infrastructure to help develop intelligence that would assist our customers.  What we found was the following:


The initial injected script:


redirects to obfuscated scripts:




which ultimately result in exploit code being delivered to the visiting browser.   If successful, the following GET occurs which causes the download of the bredolab malware.


Discovery of this infection sequence began a 3-month monitoring activity from June to August 2010.


More on Bredolab


Bredolab rose to prominence in the malware community around the middle of 2009.   Trend Micro has a very good report on the malware’s specifics.


In this particular instance, this Bredolab variant downloaded both Fake AV and ZeuS, which are two well-known malware threats.


1) Fake AV – Installs a fake antivirus program that reports non-existent infections on the host workstation.  The option to “clean” the host is given if the user agrees to pay a fee for the “pro” or “advanced” version of the software.  This particular combination of social engineering and malware has been very popular in the past few years as it has a three-part punch:


  1. The miscreant establishes a foothold on the compromised PC.
  2. The miscreant makes money from those users that pay the “upgrade” fee.
  3. The miscreant has access to the payment method of the user after he or she makes payment (credit card, paypal,etc), which can be used for further fraud.


2) ZeuS – An all-purpose information stealer that has historically been focused on financial fraud.   Because online hosts often have the ability to use a web-based client to remotely manage files and folder on a host, this may likely be one of the sources for the stolen FTP credentials used in script injection. 


Although not part of the campaign detailed here, Bredolab has been observed downloading other malware families, which provided evidence that the operator used the system in pay-per-install affiliate programs or provided install services to other miscreants.


Further into the infrastructure


Shortly after our initial investigation began, open source research in the security community into common paths on the miscreant servers revealed active Apache Server Status pages, a feature in the Apache webserver that allows you to monitor performance of your installation.  This finding allowed us to log and further develop intelligence based on the page visits that we observed on the miscreant servers.


With this bit of information, we were able to take the previously known infection sequence, and expand it:


1) The initial directory sequence observed in the original injected script:




was only one of many variations, some of which are as follows:


  • GET / HTTP/1.0
  • GET / HTTP/1.0
  • GET /dangdang-com/ HTTP/1.0
  • GET /elpais-com/ HTTP/1.0
  • GET /focus-cn/ HTTP/1.0
  • GET /verizonwireless-com/ HTTP/1.0
  • GET /vmn-net/ HTTP/1.0


We surmised that this seemingly random combination of high-traffic sites served two purposes: 


  • Establish “legitimacy” during casual inspection.
  • Make the creation of intrusion detection signatures on this particular phase difficult.


2) Specific paths to exploit artifacts, which included: 


  • GET /Notes1.pdf HTTP/1.0
  • GET /Notes2.pdf HTTP/1.0
  • GET /Notes3.pdf HTTP/1.0
  • GET /Notes4.pdf HTTP/1.0
  • GET /Notes5.pdf HTTP/1.0
  • GET /Notes6.pdf HTTP/1.0
  • GET /Notes7.pdf HTTP/1.0
  • GET /Notes8.pdf HTTP/1.0
  • GET /Notes9.pdf HTTP/1.0
  • GET /Notes10.pdf HTTP/1.0
  • GET /NewGames.jar HTTP/1.0
  • GET /Games.jar HTTP/1.0
  • GET /Applet1.html HTTP/1.0
  • GET /Applet4.html HTTP/1.0
  • GET /Applet10.html HTTP/1.0


3)   Additional Malware Downloads: 


  • GET /images/gr_old_cr.exe HTTP/1.0


Examining Exploits


By taking a closer look at one of the exploits used in this particular campaign during the observed time period, we saw a common theme that is being used by most criminal elements in the current threat environment.


  • Client-side vulnerabilities in third-party software


Criminal elements have learned that organizations typically have OS-level patching under control, but the patching of third-party applications is often outside of the capabilities of most organizations.  This is usually due to both the complication of centralizing third-party patching, but more so because of the linking of commodity technologies, such as PDF readers, into mission-critical business processes that may be interrupted by upgraded versions and require lengthy testing prior to extensive deployment. 


In this case, we see the following exploits being used in the exploit PDFs:



Which, when successful, calls out to the previously observed urls:


While we did see multiple versions of this pdf file (1-10), they were all structurally identical, with slight changes to change the file enough to bypass antivirus detection.


A change of tactics


On or around June 11th, we observed a tactics change by the miscreants, based on the previously observed exploit-cycle. The previously seen requests, such as:


  • GET / HTTP/1.0


Stopped occurring, and we began seeing requests formatted as follows:


  • GET /E-mail.js HTTP/1.0
  • GET /Filename.js HTTP/1.0
  • GET /Gnutella.js HTTP/1.0


These requests were made to the same servers, but on port 80 (rather than the previously observed 8080).    While it wasn’t immediately apparent at the time, this change signified a significant shift from a single domain based compromise structure to a multi-domain system that assigned specific roles to domains according to their desired use. 


An Intelligence Breakthrough


At this point in the investigation, we began linking like servers together based on community reports and our own field work with indicators such as malware and exploit filenames.   Since they all had available server status pages, this again expanded our ability to collect intelligence on this system. A breakthrough occurred when we observed one of the exploit servers transferring a tgz archive from one of the other servers in the system via HTTP. With the proper path, we were then able to retrieve this file directly from the exploit server and further explore it. This archive contained a series of DNS zone configuration files that detailed the infrastructure with labels and allowed us completely map the system as it was updated.  We surmised that the configuration files were used by the criminal miscreants to update their exploit system in an automated fashion.  This would allow quick updates when security researcher activity caused a takedown of a suspect domain.  With this discovery, we began logging changes to the infrastructure on a daily basis.



Mapping the Infrastructure


With the zone information and other monitoring, we observed 114 IP addresses resolving to known malicious domains in this system.


1231262.27.51.163ECOTEL ecotel communication ag
1232288.191.47.83PROXAD Free SAS
1232288.191.79.158PROXAD Free SAS
1232288.191.79.223PROXAD Free SAS
1321383.170.113.88UK2NET-AS UK-2 Ltd Autonomous System
13727216.8.179.23ND-CA-ASN – NEXT DIMENSION INC
1541877.68.52.52FASTHOSTS-INTERNET Fasthosts Internet Ltd. Gloucester
15685217.11.254.41CASABLANCA-AS Casablanca INT Autonomous system
1626585.17.137.40LEASEWEB LEASEWEB AS
1626585.17.19.26LEASEWEB LEASEWEB AS
1626594.75.243.6LEASEWEB LEASEWEB AS
16276178.32.1.70OVH OVH
16276188.165.124.185OVH OVH
16276188.165.159.139OVH OVH
16276188.165.192.22OVH OVH
16276188.165.196.19OVH OVH
16276188.165.204.115OVH OVH
16276188.165.61.44OVH OVH
16276188.165.95.132OVH OVH
16276188.165.95.133OVH OVH
16276213.186.47.177OVH OVH
16276213.251.164.84OVH OVH
1627687.98.149.171OVH OVH
1627691.121.108.38OVH OVH
1627691.121.11.69OVH OVH
1627691.121.15.168OVH OVH
1627691.121.162.65OVH OVH
1627691.121.163.43OVH OVH
1627691.121.167.167OVH OVH
1627691.121.174.152OVH OVH
1627691.121.182.209OVH OVH
1627691.121.226.19OVH OVH
1627691.121.27.197OVH OVH
1627691.121.3.80OVH OVH
1627691.121.74.88OVH OVH
1627694.23.110.107OVH OVH
1627694.23.12.62OVH OVH
1627694.23.158.31OVH OVH
1627694.23.198.9OVH OVH
1627694.23.220.163OVH OVH
1627694.23.220.194OVH OVH
1627694.23.224.132OVH OVH
1627694.23.228.40OVH OVH
1627694.23.229.220OVH OVH
1627694.23.24.66OVH OVH
1627694.23.28.143OVH OVH
1627694.23.34.93OVH OVH
1627694.23.35.107OVH OVH
1627694.23.92.35OVH OVH
17482.138.98.27COGENT Cogent/PSI
2077387.230.53.82HOSTEUROPE-AS AS of Hosteurope Germany / Cologne
2077387.230.55.58HOSTEUROPE-AS AS of Hosteurope Germany / Cologne
2077387.230.73.52HOSTEUROPE-AS AS of Hosteurope Germany / Cologne
2087787.237.106.195DATEK DATEK Telecom SRL
20912212.66.100.194ASN-PANSERVICE Panservice
2313674.213.179.183ONX – OnX Enterprise Solutions Inc.
24940188.40.81.119HETZNER-AS Hetzner Online AG RZ
2494088.198.14.169HETZNER-AS Hetzner Online AG RZ
2494088.198.35.214HETZNER-AS Hetzner Online AG RZ
2494088.198.49.197HETZNER-AS Hetzner Online AG RZ
2494088.198.55.175HETZNER-AS Hetzner Online AG RZ
2498988.84.145.36IXEUROPE-DE-FRANKFURT-ASN IX Europe Germany AS
2860194.79.88.121NOVIS Novis Telecom
2867762.193.208.175AMEN AMEN Network
28753188.72.211.253NETDIRECT AS NETDIRECT Frankfurt
28753188.72.212.104NETDIRECT AS NETDIRECT Frankfurt
2907394.102.54.11ECATEL-AS AS29073
29131109.169.29.144RAPIDSWITCH-AS RapidSwitch
2914198.64.133.214NTT-COMMUNICATIONS-2914 – NTT America
29321217.195.160.74CENTRONETAS Centronet
2955092.48.119.94SIMPLYTRANSIT Simply Transit Ltd
2955094.76.254.248SIMPLYTRANSIT Simply Transit Ltd
2987367.223.233.101BIZLAND-SD – The Endurance International Group
3133383.151.21.150VOLLMAR-AS AS31333
3136585.153.38.2SGSTELEKOM SGS Telekom Autonomous System
3224467.225.181.217LIQUID-WEB-INC – Liquid Web
3301213.180.79.146TELIANET-SWEDEN TeliaNet Sweden
335662.67.246.113LEVEL3 Level 3 Communications
34265213.108.72.158SILVERTELECOM-AS SilverTelecom Ltd
3476277.241.80.228COMBELL-AS Combell group NV
3477993.103.5.146T-2-AS AS set propagated by T-2
3477993.103.5.156T-2-AS AS set propagated by T-2
3522887.194.123.116BEUNLIMITED Avatar Broadband Limited
3583080.248.221.213SIVIT-AS SIVIT Network –
36057174.137.179.244WEBAIR-AMS Webair Internet Development Inc
3932693.89.80.117GOSCOMB-AS Goscomb Technologies Limited
3958289.106.8.40GRID Grid Bilisim Teknolojileri A.S.
41044194.24.228.81THYA-AS Thya AS Number
413461.177.120.254CHINANET-BACKBONE No.31
42926213.128.83.18RADORE Radore Hosting Telekomunikasyon Hizmetleri San. ve Tic. Ltd. Sti.
4335077.247.180.40NFORCE NForce Entertainment B.V.
4341378.41.22.130ASNEW NEW TELEKOM
4354193.185.105.74VSHOSTING VSHosting s.r.o.
4411277.222.43.78SWEB-AS SpaceWeb JSC
4497691.204.116.114IONOD-AS AZNet Autonomous System
4766218.145.56.55KIXS-AS-KR Korea Telecom
4766222.122.81.54KIXS-AS-KR Korea Telecom
4853991.198.106.6OXILION-AS Oxilion B.V.
49981217.23.7.112WORLDSTREAM WorldStream
5577212.117.161.3ROOT root SA
672485.214.22.200STRATO STRATO AG
690878.41.156.236DATAHOP Datahop Ltd
799272.38.223.96COGECOWAVE – Cogeco Cable
800169.164.212.94NET-ACCESS-CORP – Net Access Corporation
856087.106.99.134ONEANDONE-AS 1&1 Internet AG
8935212.19.216.11INTOUCH-CS-AS Amsterdam
897262.75.161.249PLUSSERVER-AS PlusServer AG
897262.75.162.196PLUSSERVER-AS PlusServer AG
897285.25.152.176PLUSSERVER-AS PlusServer AG


Which, when plotted on a map, looks like:


This map example shows the high concentration of compromised servers in the OVH autonomous system, a large hosting company located in France.  While this shouldn’t specifically illustrate that OVH is overtly malicious, it does show that their hosting strategies are permissive to cybercrime (or at least, they are not staffed or equipped to handle abuse requests in a timely manner.).  This data also doesn’t take into account sink-holing activity, in which a security researcher will register a known malicious domain and redirect its traffic to a friendly server for intelligence or defensive purposes.


Historically, however, OVH has been highly ranked in most “malicious organization lists” which include the following:



With our new found intelligence in hand, we began mapping the infrastructure according to labels and descriptions that were part of the zone files.   What we found was a tiered infrastructure that spread domains across specific functions. 


A Tiered-Criminal Infrastructure


After analyzing the DNS configuration over the observed time-period, we classified the servers into four distinct “functions”


These were:


  • Command and Control – Domains used for command and control functions
  • Traffic – Domains used in script injection tasks
  • Exploit – Domains used to exploit visiting browsers
  • Supporting – Domains used to support other cybercrime ventures


Command and Control Domains 


During our observation, we tracked 23 domains specifically devoted to C2 activity, which were then sub-divided into other categories:


afterspan.ruBredolab Command and Control
alesolo.ruBredolab Command and Control
armyerror.ruBredolab Command and Control
bayjail.ruBredolab Command and Control
coolblender.ruBredolab Command and Control
discountprowatch.comBredolab Command and Control
evilpal.ruBredolab Command and Control
exitguide.ruBredolab Command and Control
eyesong.ruBredolab Command and Control
feeplain.ruBredolab Command and Control
forhomessale.ruBredolab Command and Control
galoh.ruBredolab Command and Control
hostindianet.comBredolab C2/ DNS configuration
hotgas.ruBredolab Command and Control
imoviemax.ruBredolab Command and Control
localegg.ruBredolab Command and Control
tunemug.ruBredolab Command and Control
yourarray.ruBredolab Command and Control
getyourdns.comDNS Configuration
dnsofthost.comDNS Configuration
instantdnsserver.comDNS Configuration
netdnshosting.comDNS Configuration
netwebinternet.ruUnknown (labeled “Win Proxy”)


Most of these domains all used the same registrar:


registrar:  NAUNET-REG-RIPN


Naunet , a Russian registrar located in Moscow, has been highly visible in many “known bad organization” lists.  Accord to data at URIBL (, nearly 100% of the domains recently registered at this registrar are listed for spam, malware or exploits:


Listed Domains registered at NAUNET-REG-RIPN


97.68% – 970 of 993 domains registered at are listed by URIBL in the 5 day period prior to the 48hr publication delay.


Additionally, the ShadowServer organization has tracked additional malicious  behavior (to which NetWitness was a contributor) from this registrar:


According to the NAUNET website, multiple avenues of “support” contact information are given for contact, but in our experience, abuse notifications are never answered.   This, combined with observed behavior, makes it highly likely that NAUNET-REG-RIPN is complicit in cybercrime activity, if not directly involved.


Traffic Domains


The next group of domains were what we classified as “traffic domains”.


These domains were used specifically in injection and spam tasks, and either via injected script or direct hyperlink to direct visiting browsers to exploit domains for exploitation and malware downloads:


In the case of this group of domains,  all were registered at NAUNET-REG-RIPN:


Again showing ongoing abuse occurring with this registrar.


Exploit Domains


The third group of domains, which were the most numerous (380) of the classifications, where used exclusively for host exploitation and typically listened on port 8080 for connections:


The majority of these domains were again registered at NAUNET, but we also see an additional familiar face in the “bad registrar” space:


  • Registrar: BIZCN.COM, INC.  (number 12 on
  • Registrar: ONLINENIC, INC.


Supporting Domains 


The fourth and final classification of domains in this infrastructure were devoted to a number of “supporting activities”, most notably elements that are typically the subject matter of mass-spam campaigns.


This includes:


  • Pharmacy Sites
  • Gambling
  • Pornography
  • Counterfeit Merchandise
  • Pirated Video
  • Online Dating



The domains in this group were as follows:


bestviagraa.comPharmacy Spam
bestviagracenter.comPharmacy Spam
bestviagrapharmacies.comPharmacy Spam
bestviagrapills.comPharmacy Spam
buynowviagra.comPharmacy Spam
buyviagraworld.comPharmacy Spam
cheapdrug-shop.comPharmacy Spam
cheapviagrarx.comPharmacy Spam
co-pharmacy.comPharmacy Spam
drugbestprice.comPharmacy Spam
drugs-shop4u.comPharmacy Spam
drugshops24.comPharmacy Spam
eropharmacy.comPharmacy Spam
esuperviagra.comPharmacy Spam
expressviagraonline.comPharmacy Spam
greatviagrabest.comPharmacy Spam
greatviagraprice.comPharmacy Spam
i-drugshop.comPharmacy Spam
live-pharmacy.comPharmacy Spam
mybestviagra.comPharmacy Spam
naturalviagraonline.comPharmacy Spam
onlineviagraorder.comPharmacy Spam
pharmacy-4you.comPharmacy Spam
pharmacy-magazine.comPharmacy Spam
superviagraonline.comPharmacy Spam
thecheapviagra.comPharmacy Spam
thenaturalviagra.comPharmacy Spam
thesuperviagra.comPharmacy Spam
theviagrapills.comPharmacy Spam
theviagrasite.comPharmacy Spam
viagra-international.comPharmacy Spam
viagrabestprices.comPharmacy Spam
viagrapriceline.comPharmacy Spam
web-drugshop.comPharmacy Spam
world-drugshop.comPharmacy Spam
discount-bestwatch.comCounterfeit Merchandise
discount-bestwatches.comCounterfeit Merchandise
discount-smartwatch.comCounterfeit Merchandise
watch-atbestprice.comCounterfeit Merchandise
watchatlowprice.comCounterfeit Merchandise
gr8kino.ruPirated Video
100bestfilms.ruPirated Video
kino-welcome.ruPirated Video
skachivai-kino.ruPirated Video
seebestkino.ruPirated Video
hochutebia.ruOnline Dating
hotsex-meets.ruOnline Dating
dating-4you.ruOnline Dating
dating-group.ruOnline Dating
dating-spot.ruOnline Dating
love-pair.ruOnline Dating
xochu-dating.ruOnline Dating


An added bit of intelligence that came through the server status pages on these servers was the proxying of “” through all of the exploit domains.  This was evident by the following request:


GET /scan4u/ HTTP/1.0,2010-06-10 10:00:01


GETs of the following URL from any exploit domain on port 8080 resulted in a connection to _http://scan4u.net_


http://domain:8080/scan4u is essentially a “criminal virustotal plus”.  That is, it is a service where a miscreant can submit a newly created malware binary to gauge the detection rate of various antivirus vendors.  While similar to virustotal in this regard, the key is that scanned binaries aren’t submitted to the antivirus vendors in question, as is done with virustotal.  A general overview of the service (translated from Russian) shows the following key points:


  • The service doesn’t submit to anti-virus vendors.
  • Antivirus clients are updated hourly to maintain a current definition set.
  • Submitted binaries are rechecked on a schedule and customers are emailed about new detections.


As well as antivirus checks, the miscreants running the service appear to have extended their checks into the online blacklist area: 


“Domain check on presence in black list: ZeuS domain blocklist, ZeuS IP blocklist, ZeuS Tracker, MalwareDomainList (MDL), Google Safe Browsing (FireFox), PhishTank (Opera, WOT, Yahoo! Mail), hpHosts, SPAMHAUS SBL, SPAMHAUS PBL, SPAMHAUS XBL, MalwareUrl,SmartScreen (IE7/IE8 malware & phishing Web site),Norton Safe Web, Panda Antivirus 2010, (Firefox Phishing and Malware Protection), and RFC-Ignorant.Org.”


This update indicates ongoing blacklist checks across a variety of services, including:


  • Security researcher and community published blacklists (zeustracker, malwaredomainlist, malwareurl, phishtank, spamhaus)
  • Browser-based anti-phishing technology (google safe browsing, smartscreen)
  • Vendor blacklists (Norton, Panda, etc.)



Miscreants using this service have a one-stop shop for both the detection of malicious binaries as well as the existence of their delivery systems in disparate blacklists across the Internet.


Tying it together


When the numbers are looked at as a whole, the infrastructure shows knowledge of defender techniques, as well as insight into the various money-making schemes involved.



Exploit domains are, by far, the largest slice of the total number of involved domains.  Because exploit activity is often the “noisiest” of the infection cycle in a malware campaign and usually the mostly likely target for takedown,  it makes sense that this operator would have a large quantity of such domains to rotate into campaigns as needed. Details showed this was a proxy network as well, so the use of compromised servers as a front-line helps to prevent takedown of the back-end servers feeding the system.


Based on the gathered intelligence as a whole, the operator was likely making money off of this scheme in a number of ways:


  • Multiple Bredolab C2 domains indicate a segregated botnet which suggests that the operator rented portions of the botnet out to end-users.
  • Executable delivery as part of second-stage after Bredolab installation.
  • Executable delivery outside the observed infection chain (directly from a domain subdirectory) suggests hosting services for other malware campaigns.
  • Proxying of third-party sites indicates spam-related hosting services for items that are of high risk for takedown. (pharmacy, gambling, pornography, etc.).
  • Proxying of the “” service.





The intelligence gathered on this system show the continuing advancement of criminal exploit systems and detail the following points:


  1. The continued abuse of online hosting and registration services, and the associated lack of action by ICANN and Regional Registries in suspending organizations associated with criminal activity, despite overwhelming evidence of abusive, permissive or neglectful activity.
  2. The use of automation to stymie researcher takedown efforts and creatively weighting points in the malware-infection cycle to predict takedown activity (high number of exploit domains compared to others).
  3. The use of compromised credentials to inject scripts into benign sites and direct visiting browser systems.
  4. The use of compromised servers to host spam-related content and further monetize fraud activity outside of malware infection.
  5. The use of proxy networks to obfuscate primary hosts in the infrastructure.


Special thanks to the following researchers, who played a key role in helping us understand this system:


Vitaly Kamluk – Kaspersky Lab, Japan
Steven Burn – Ur I.T. Mate Group


Happy Hunting!


Alex Cox, Principal Research Analyst