May 24, 2012

Bredolab Botnet Creator Arrested Again

Michael Harper for RedOrbit.com

The creator of the Bredolab botnet–a 2010 bot used mostly to send spam emails–has just been sentenced to 4 years in prison by an Armenian district court.

Gregory Avanesov, a 27-year-old Russian of Armenian descent, was sentenced on charges of creating and distributing the Bredolab virus. In the end, his botnet is said to have infected more than 30 million computers globally, stealing passwords and other private information, as well as pushing emails hawking prescription drugs. Bredolab also acted as a hired gun, attacking websites and sending out other viruses for other cyber criminals who had purchased time with the bot.

According to the BBC, Avanesov began assembling the botnet in 2009. He then distributed the bot through automated attacks and various phishing schemes.

Bredolab even managed to break through Facebook´s security systems, sending out fake “Facebook Password Reset Confirmation” emails. These emails contained a file that, when downloaded would take over the computer, steal personal information and passwords, and then connect it to the bot.

Through its mercenary and spam work, Bredolab earned Avanesov a staggering £80,000 ($125,500) a month.

According to Wired, Avanesov has admitted to investigators that he had written the code behind the Bredolab botnet, but did not know people were using the virus for criminal activities. He argues that he simply made the virus available for others to use, and therefore shouldn´t be held responsible.

Avanesov has already been arrested once before in 2010 after Dutch authorities seized nearly 143 infected servers which were distributing the botnet.

According to a threat report by security firm Fortinet, global spam levels fell 12% after Dutch authorities took down Bredolab.

"We confirmed that on November 14, when the primary servers were taken offline, the intermediary servers failed to proxy content, which effectively crippled the botnet," Derek Manky, project manager for cyber security and threat research at Fortinet told CNET.

After the Dutch authorities took control of the servers, Avanesov tried to regain control of the botnet centrally. Using some 220,000 computers which were still under his control, Avanesov launched a DDoS attack on LeaseWeb, the internet hosting site which had hosted the controlled servers.

With the botnet controlled by the Dutch authorities, law enforcement used it to send out a message to all infected users, alerting them to their infection and offering solutions on how to remove the virus.

Despite the Dutch´s best attempts to completely dismantle the Bredolab botnet in 2010, two command nodes remained active in Kazakhstan and Russia, according to the Register.

Any remaining infected computers would dial into these nodes and would download a fake antivirus program called “Antivirusplus” and then begin to distribute more spam. Those cyber criminals keeping Bredolab alive in 2010 likely used leaked code from Avanesov or built their own botnet to continue the attacks.

Today´s arrest is a promising sign for cyber-criminal crack-downs in Europe. Though Armenia isn´t known as a safe haven for hackers, this arrest acts as proof that these countries are taking cyber crime seriously. According to Wired, police agencies in these areas have long ignored when activities such as these takes place in their country.


On the Net: