A new series of attacks levelled at organisations in the public sector began last week, as reports of emails containing the malware program Bredolab came in.
Security expert Tony Millington said that although the use of Bredolab was not obviously significant in itself, the way in which the email campaign was run did raise some questions about the intentions of its instigators.
Mr Millington said that Bredolab was more usually distributed on a massive scale to as many email accounts as possible, relying on controlled botnets for the herculean campaign. However, in this instance, Bredolab has been sent to a select group of public sector organisations, suggesting that the criminals behind the attack are attempting to harvest data contained on specific systems.
Bredolab can be modified to use various forms of trickery to encourage the recipient of the email to run the attached executable. Once the process is begun, the malware is embedded on the user’s computer and it turns off the firewall, allowing the responsible parties access to the network and also giving them the chance to install many more malicious files as a result.
Mr Millington said that in this instance, Bredolab was being used to transfer data harvesting tools to the infected PCs and at the time of its appearance, these subsequent files were identifiable by only one or two of the major anti-virus vendors. As such, the potential for further infection and data theft was significant.
IT Security firms have been busy investigating the latest viral attacks via email and have established that the IP addresses from which the mail originates can be linked to several other spam campaigns which have been in operation in recent months. These IP addresses are believed to signify PCs connected in a large botnet, unbeknownst to their users.
According to Mr Millington, the emails sent in the latest batch are worded with innocuous subject lines, containing keywords such as ‘conference’ or ‘resume’ in order to dupe the recipient into activating the attached .zip file, which will usually have the same name.