Bredolab surges to new heights thanks to Cutwail botnet

Several sources reported a surge of the Bredolab trojan in the middle of October but MX Lab did noticed an real increase on October 27th.

The following graph shows the virus detection from October 7th until November 5th (from right to left) with small peaks at the beginning of October while at the end the virus outbreak really started for us. Virus detection and interception rate increased 5x to 6x times compared to the normal average.

We noticed Bredolab appearing in different campaigns where Facebook Password Reset Confirmation was perhaps one of the most widespread campaigns targeting social network users. But let’s not forget DHL tracking emails or the Western Union Payment.

So what is going on? Bredolab is being distributed mainly over the Cutwail (or Pandex) botnet. One of the reasons is that this botnet is trying to infect new computers to be added to the botnet as zombies. A larger botnet can be used to distribute even more emails containing mailware and infect even more systems or send out new large spam campaigns.

The Cutwail botnet activity decreased from sending around 45% of spam at the beginning of the year to only 11% in September. Other botnets increased in size and activity. One of the newer botnets is called Maazbem and was responsible for a large casino-related spam email campaign earlier in May 2009.

The malware authors of Cutwail are trying to make up some of those losses and to regain a dominant position in the botnet scene. So far, approximately 3.6 Billion Bredolab emails are likely to be send out each day, worldwide.

In order to do so they publish new variants on a regular base to avoid detection by AV engines. As we could see during the last few days, virus detection was sometimes very low when a new variant was out and the file was offered tyo Virus Total for inspection.

At Virus Total, a great tool by the way, we often noticed that the 41 AV engines did had difficulties in detecting the new variant resulting in less protection for an end user system. In some cases, not even 30% of the engines did detect the trojan after more than 6 hours when the variant first appeared.

It is clear that the traditional signature or heuristic based AV engines fail to offer a good security in a very short time frame. A time frame that is so important to detect and handle malware correctly. At MX Lab we can only recommend to deploy anti virus engines in multiple layers with a zero hour anti virus solution as the main and first line of defense.