Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This month we added both Win32/Bredolab and Win32/Daurso families to the latest MSRT release.
Win32/Bredolab is a trojan downloader that garnered industry attention over the middle stages of 2009. This is due to a number of spam campaigns employing e-mail lures with parcel delivery themes. The e-mail messages appear to originate from legitimate sources such as UPS (United Parcel Service of America) or DHL (Dalsey, Hillblom and Lynn). However, Win32/Bredolab is a not a new family of malware. Its origins date back at least three years, having gone through a number of evolutions during this time.
Win32/Bredolab has been observed to download malware from a vast array of families. This includes families of trojan downloaders, rogues, worms, spam bots, password stealers and just about everything in between. From the beginning of 2009, the MMPC has observed variants of Win32/Bredolab downloading malware from over 100 unique families. To give you an idea, below is a short list of the more prevalent and well-known families downloaded, many of which are families addressed by MSRT.
The 2nd family added to the September release of MSRT is a password stealing trojan known as Win32/Daurso. It attempts to steal stored FTP credentials and could be referred to as a sibling of Win32/Bredolab due to some of the code shared by the installation wrapper. Additionally, the control server that Win32/Bredolab variants contact is exactly the same as that used by Win32/Daurso. Finally, Win32/Daurso is often downloaded by Win32/Bredolab itself.
Win32/Daurso has the capability to retrieve passwords stored locally by popular 3rd party FTP clients such as ‘CuteFTP’, ‘FlashFXP’ and ‘Core FTP’. Credentials residing in protected storage are also targeted by Win32/Daurso.
It may come as no surprise to our readers, however, that we see that user credentials continue to be a valuable commodity for malware authors. The value of FTP credentials lies in the likelihood that the compromised account is associated with web hosting capability. This could easily be employed for nefarious purposes, either by inserting malicious content or for simple (malware) hosting purposes, for example.