Recent reports from various sources in the security industry show that a large takedown of servers associated with the “Bredolab” trojan occurred within the past few weeks. While most of the reports have focused around the idea that this infrastructure was solely related to the command and control of Bredolab, our research shows that these servers were used as an all-purpose hosting infrastructure for criminal activity.

This criminal system came to our attention in July 2010, when NetWitness analysts were asked to investigate a hacked wordpress blog.

We found that the following obfuscated script had been injected into all .html and php pages on the site:

When decoded, this script created a redirect to the following location:

hxxp://bakedonlion.ru:8080/google.com/pcpop.com/torrentdownloads.net.php

Further investigation revealed an injection of the script into victim webpages via FTP:

These IPs all connected to the victim website within a 20-minute period on May 8^th, and when plotted on a map, it becomes obvious that this is likely a botnet.

Read the rest…