Earlier this week (October 25), authorities in the Netherlands took action against one of the Win32/Bredolab botnets and person(s) who may be responsible for this threat as part of an investigation codenamed TOLLING- part of a larger project named TAURUS. This follows on the heels of similar efforts against Win32/Zbot by the Federal Bureau of Investigation’s Operation “Trident Breach” in partnership with international law enforcement agencies, operations in Spain and Slovenia against the Win32/Rimecud botnet and earlier efforts to permanently disable the Win32/Waledac botnet.

Note that Bredolab isn’t a singular botnet, rather there are numerous Bredolab botnets which are deployed, each with a distinct set of masters.

As we look at the telemetry from some of these takedown efforts we do see a significant reduction in the presence of the threat, as we would expect. We also see additional attempts to infect computers with that threat family when we examine telemetry from our products that include real-time protection, emphasizing the importance of ongoing protection against all active threat families including those whose infrastructure and personnel have been disrupted. 

As you can see from the chart below, following takedown and other response actions (such as the inclusion of a threat family in MSRT) we do see a decrease in removals over the following months.  What we also see is additional infection attempts following those actions -- perhaps as a directed effort to regain the previous infection scale, or perhaps due to campaigns which are already in progress and automated or otherwise staged. That said, additional infections in a botnet whose command and control infrastructure has been impaired, destroyed or controlled represent a considerably smaller threat to the Internet than infections in a botnet which is active and capable of receiving new instructions for attacks.

MMPC Infection attempts blocked and removed 

What is important to note from the data above is that taking or wresting control of a botnet’s infrastructure, by itself, is not a complete solution; not only are there still infected machines, but there is also the ability for the parties behind the threat to continue their efforts to distribute new instances of the threat (perhaps with a different command-and-control scheme). It is the combination of technical and legal approaches which seem to have the greatest positive effect.

The action taken against Bredolab clearly illustrates best practice in botnet response by leveraging this combination approach. Taking down the command-and-control infrastructure and partnering with law enforcement locally and in other jurisdictions to apprehend the person(s) who may be responsible not only helps to contain the damage which can be caused by the botnet in question, but also can serve as a chilling effect against others who may also operate botnets. Additional measures relating to cleanup of infected systems, such as through broad notification or through the monthly release of MSRT, extend these successes even further.  Currently, computers infected with Bredolab are being referred to a page detailing instructions for how to clean the system of the threat, thanks to the Dutch National Alerting Service (hosted by GOVCERT.NL) and intelligence collected during the investigation by Dutch authorities. You can see a portion of the landing page for the notification in the graphic below.

Landing page and infection notification message

We would like to commend the Dutch Public Prosecution Service, Dutch Forensic Institute (NFI), GOVCERT.NL, FOX-IT, leaseweb, Russian and Armenian law enforcement and the Netherlands High Tech Crime Unit (THTC) as well as all parties who contributed to this effort.  Collaborations towards a common goal is something that we have seen, repeatedly of late, have a significantly greater impact than the work of individuals, companies or agencies on their own. Microsoft looks forward to further public/private partnerships aimed at the disruption and containment of these and other Internet threats. 

As with many other botnets, Win32/Bredolab can be removed with MSRT (since September 2009) as well as our other antimalware products such as Microsoft Security Essentials and the Forefront family of products.

 

Jeff Williams
Principal Group Program Manager