ESET in Bratislava have just issued a press release concerning Win32/TrojanDownloader.Bredolab.AA, which made the top ten threat listing in our June ThreatSense.Net® report, as mentioned here. While press releases aren't always our biggest priority on the ThreatBlog, this is certainly a research issue, and one in which many people have expressed an interest.
The lab tells us that the Bredolab trojan is the top-scoring threat in the Czech Republic and Slovakia, but also scoring high in other European countries. It appears in the Top 5 list of threats in Austria, Poland, Turkey; in the Top 10 in Bulgaria, the United Kingdom, Sweden, Belgium, Russia and Germany; in the Top 20 in the Ukraine and Italy, and in the Top 40 in France. In Ireland it has climbed from 40th place into the Top 15. So while its positioning in the Report is partly influenced by a recent change in the way we aggregate data, there's clearly a trend emerging here.
The lab guys have put up a description here, so if you're interested in a technical summary, that's a good place to start. Here's a brief description, though, based on one I added to the Report, with additional notes based on the information from Bratislava.
This is a class of application that is intended to act as an intermediary to the infective process. The label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the malicious executable is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon. We’re seeing a great deal of Bredolab activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. Indeed, nowadays it pays to keep an eye on new patches for any applications and utilities you use. Hopefully, Adobe’s new patching mechanisms will help to reduce the impact of these exploits in the longer term.
When a downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may well make changes to the system such as those described above in order to increase its chances of doing so successfully. There have also been some cases when Bredolab Trojan was downloaded by other downloaders in the Win32/TrojanDownloader.FakeAlert family, demonstrating a connection to rogue security application malware.
Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases. Because of ESET’s heavy use of generic signatures and advanced heuristics, our detection label actually picks up many close variants and sub-variants. In fact, some other vendors are at present detecting Bredolab by generic names (for instance, deriving from the use of particular packers) or by reference to other malware families. It's likely that this disparity in naming is masking the impact of this particular family. As we've mentioned before, malware naming in the 21st century probably generates more heat than light.
The use of file formats such as PDF which most users think of as trustworthy is not a new tactic: in fact, like other document formats such as those used by Microsoft Office, they’re commonly used in targeted phishing attacks. However, the noticeable rise in Bredolab detections, especially in Europe, demonstrates that it is extremely active at the moment.
Users should, as always, take care when opening e-mail attachments and exercise caution while browsing the web, but they should also be sure to keep up with security patches to application software. Personally, I welcome the fact that Adobe, in particular, have raised their game significantly in recent months on security updates across their product range. I'd advise users to subscribe to Adobe's notification service, just as they should ensure that they’re subscribed to the Windows Update Service. Though I'm not altogether a fan of Microsoft's insistence that you need to install an ActiveX control to view the site.
David Harley
Director of Malware Intelligence