BKDR_BREDOLAB
Bredo
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
BREDOLAB arrives via spammed email attachments. The email messages it comes in vary. Samples include spoofs of email from Social Security, DHL and Lenovo while others include a puzzle, a wedding invitation, or a resume. BREDOLAB variants are also downloaded by other malware, particularly by CUTWAIL or SASFIS malware. Variants of BREDOLAB may also be installed on systems when users visit compromised pages injected with malicious iframes. They can also be downloaded via black hat search engine optimization (black hat SEO) where users are led to poisoned search results when searching for popular topics.
BREDOLAB's main function is to download other malware on systems it infects. It downloads malware such as FAKEAV and ZEUS. Some GUMBLAR variants also use BREDOLAB as a downloader component.
In addition to its downloading capabilities, BREDOLAB is capable of detecting whether it is running in an environment where it is being analyzed or observed. It does this by checking the presence of several files, which are related to analysis tools, on a system. Once BREDOLAB detects the presence of these analysis-related files, it causes the system to stop responding, resulting in a blue screen (BSOD) error. This particular capability makes analysis of BREDOLAB malware difficult.
Variants of this malware family also unhook certain application programming interface (API) calls to avoid being detected and consequently, removed from the affected system.
TECHNICAL DETAILS
Installation
This backdoor drops the following files:
- %Application Data%\avdrn.dat
- %Application Data%\wiaservg.log
- %Application Data%\avkgp.dat
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %User Startup%\{random}32.exe
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}oup128.ru
- {BLOCKED}l.ru
- {BLOCKED}ang.ru
- {BLOCKED}epof.ru
- {BLOCKED}ale.ru