BEDEP: Backdoors Brought Into The Light By Flash Zero-Days
The earlier Flash zero-days of the year have brought a new malware threat to the forefront: the BEDEP malware family. It has been the payload of two zero-day exploits in recent weeks: CVE-2015-0311 in late January, and CVE-2015-0313 in early February.
While these attacks made BEDEP far more widespread, it was not exactly a new malware family either. It was first spotted in September 2014, and is believed to be involved in both advertising fraud and other botnet-related activity. Its popularity as an attack platform grew significantly in early 2015, a direct result of its use in various exploit kit attacks.
Approximately two-thirds of the victims of BEDEP from November 2014 to February 2015 were located in the United States, with Japan making up most of the remainder. Australia and Germany were also prominent BEDEP victims. We identified more than 7600 affected victims.
Figure 1. Distribution of BEDEP victims
How does BEDEP arrive on user systems? The zero-day attacks earlier in the year highlight one method: exploit kits delivered to users via malvertisements on legitimate sites. Both the Angler and Hanjuan exploit kits have been used to spread BEDEP.
Another infection vector that has been less well documented is “legitimate” software. Legitimate applications today frequently come with components that pose a security risk; we recently saw this when the Superfish adware included components that could be used to attack SSL. In these cases, it went further: the BEDEP backdoor was installed onto user systems (under the file name rifa.dll.)
Once installed on a machine, BEDEP has fairly typical backdoor routines that would allow an attacker to take control of the machine (by downloading and running various payloads).
More details about BEDEP, as well as best practices and available Trend Micro solutions, can be found in our BEDEP Security Brief.