.., it's the size of the fight in the dog" that matters.  Bredolab is not giving up.  This morning, I found two more active CnC domains, not only alive but issuing new commands as well. These two domains are :

upload-good.net and lodfewpleaser.com

The Bredolab variant communicating to upload-good.net is especially important as almost all AVs are missing it at the moment.  Only 1 AV out of total 42 AVs available on VirusTotal was able to detect it as malicious.

Today started with some good news. The mega botnet known as Bredolab has been taken down.  Kudos to the Dutch police and involved ISPs.  Over the years, Bredolab evolved into a powerful pay per install network.  The bot herders behind it have shown great expertise in spreading their core malware using different infection vectors such as drive by downloads and social engineering.  The sole purpose of Bredolab was to spread itself as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware.

What's happening at the moment? In order to gather the most up to date intelligence, I looked into FireEye's MAX network. There was no doubt that all the known active servers were no longer responding. But surprisingly, I was able to find one CnC server which is fully active at the moment. This CnC server is:

 proobizz.cc

We are seeing a trend where new banking trojans are emerging on the threat landscape very rapidly.  First came Bugat followed by Carberp.  Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye.  Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.

At the time of writing this article, AV coverage for this malware looks very disappointing. Out of 42 antivirus software listed on VirusTotal only two were able to detect it as malicious. Screenshot from VT:

Recently guys from Arbor networks and Trend micro published very good analysis about a new DDOS botnet being dubbed as Avzhan. This name was taken from one of the callback domain, avzhan1.332.org, being used by this botnet. Surprisingly callback domains like avzhan1.332.org and avzhan.332.org are not something new. These domains are being used by another DDOS malware since 2008 and 2009. In FireEye these malware are recognized as DDOS.DATCK and DDOS.BYCC. Is Avzhan DATCK'S new variant? My curiosity sets in.

DATCK/BYCC binaries comparison with known Avzhan samples revealed many interesting facts. Although on many places code patterns for older DATCK/BYCC looked quite different from Avzhan but there were some definite code and design similarities showing a possible connection between these two malware. But this was not the end, as during this process, I found out that AVzhan also looks alike another known DDOS botnet Storm.DDOS.

Note: Storm.DDOS name was chosen due to interesting user agent strings being used by different variants of this malware like STORMDDOS, YTDDOS, kav, IMDDOS, "i am ddos" etc.

There has been a significant observed drop in worldwide SPAM levels during the last month or so.  M86 thinks it's due to Rustock, the world's largest spam botnet, suddenly stopped sending spam for unknown reasons.   McAfee has expressed a different point of view. According to them, the steep drop in spam levels is due to recent attempts to shutdown Pushdo.D, another famous spam botnet.  It's clear that spam levels are dropping, so let's look behind the curtain and try to find the actual reasons for the statistical observations.

I can think of two possible reasons why a major spam botnet would suddenly stop sending spam:

1. There was an attempt to shutdown the botnet by taking down its CnC servers.

2. The bot herders are running out of business i.e no one is paying them to send SPAM.