This month we added both Win32/Bredolab and Win32/Daurso families to the latest MSRT release.

Win32/Bredolab is a trojan downloader that garnered industry attention over the middle stages of 2009. This is due to a number of spam campaigns employing e-mail lures with parcel delivery themes. The e-mail messages appear to originate from legitimate sources such as UPS (United Parcel Service of America) or DHL (Dalsey, Hillblom and Lynn). However, Win32/Bredolab is a not a new family of malware. Its origins date back at least three years, having gone through a number of evolutions during this time.

Win32/Bredolab has been observed to download malware from a vast array of families. This includes families of trojan downloaders, rogues, worms, spam bots, password stealers and just about everything in between. From the beginning of 2009, the MMPC has observed variants of Win32/Bredolab downloading malware from over 100 unique families. To give you an idea, below is a short  list of the more prevalent and well-known families downloaded, many of which are families addressed by MSRT.

Win32/Alureon
Win32/Ambler
Win32/Boaxxe
Win32/Busky
Win32/Cbeplay
Win32/Cutwail
Win32/Danmec
Win32/Daurso
Win32/Emold
Win32/FakeRean
Win32/FakeSpypro
Win32/FakeXPA
Win32/Harnig
Win32/Haxdoor
Win32/Hiloti
Win32/Koobface
Win32/Momibot
Win32/Oderoor
Win32/Oficla
Win32/Otlard
Win32/Phdet
Win32/Rlsloup
Win32/Rugzip
Win32/Rustock
Win32/Sinowal
Win32/Srizbi
Win32/Tedroo
Win32/Ursnif
Win32/Vundo
Win32/Waledac
Win32/Wantvi
Win32/Winwebsec
Win32/Wopla
Win32/Zbot

The 2nd family added to the September release of MSRT is a password stealing trojan known as Win32/Daurso. It attempts to steal stored FTP credentials and could be referred to as a sibling of Win32/Bredolab due to some of the code shared by the installation wrapper. Additionally, the control server that Win32/Bredolab variants contact is exactly the same as that used by Win32/Daurso. Finally, Win32/Daurso is often downloaded by Win32/Bredolab itself.

Win32/Daurso has the capability to retrieve passwords stored locally by popular 3rd party FTP clients such as ‘CuteFTP’, ‘FlashFXP’ and ‘Core FTP’. Credentials residing in protected storage are also targeted by Win32/Daurso.

It may come as no surprise to our readers, however, that we see that user credentials continue to be a valuable commodity for malware authors. The value of FTP credentials lies in the likelihood that the compromised account is associated with web hosting capability. This could easily be employed for nefarious purposes, either by inserting malicious content or for simple (malware) hosting purposes, for example.

Scott Molenkamp