TROJ_BREDOLAB

 Analysis by: Karl Dominguez

 ALIASES:

Bredo

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Spammed via email, Downloaded from the Internet

BREDOLAB arrives via spammed email attachments. The email messages it comes in vary. Samples include spoofs of email from Social Security, DHL and Lenovo while others include a puzzle, a wedding invitation, or a resume. BREDOLAB variants are also downloaded by other malware, particularly by CUTWAIL or SASFIS malware. Variants of BREDOLAB may also be installed on systems when users visit compromised pages injected with malicious iframes. They can also be downloaded via black hat search engine optimization (black hat SEO) where users are led to poisoned search results when searching for popular topics.

BREDOLAB's main function is to download other malware on systems it infects. It downloads malware such as FAKEAV and ZEUS. Some GUMBLAR variants also use BREDOLAB as a downloader component.

In addition to its downloading capabilities, BREDOLAB is capable of detecting whether it is running in an environment where it is being analyzed or observed. It does this by checking the presence of several files, which are related to analysis tools, on a system. Once BREDOLAB detects the presence of these analysis-related files, it causes the system to stop responding, resulting in a blue screen (BSOD) error. This particular capability makes analysis of BREDOLAB malware difficult.

Variants of this malware family also unhook certain application programming interface (API) calls to avoid being detected and consequently, removed from the affected system.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Downloads files

Installation

This Trojan drops the following files:

  • %Application Data%\avdrn.dat
  • %Application Data%\wiaservg.log
  • %Application Data%\avkgp.dat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %User Startup%\{random}32.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}oup128.ru
  • {BLOCKED}l.ru
  • {BLOCKED}ang.ru
  • {BLOCKED}epof.ru
  • {BLOCKED}ale.ru