In July 2010, when Bredolab was in it's heyday I used Netwitness Investigator to do analysis of a Bredolab-infected host. In honor of Georgy Avanesov's arrest, following is a reprint of the resulting toolsmith article. Bredolab samples and PCAPs available upon request via email or @holisiticinfosec. Netwitness is now in version 18.104.22.168, so some of the guidance and how-to herein may have changed.
|Configuring NetWitness Investigator|
|Bredolab sample collection navigation|
|DNS session content|
|Google Earth view of DNS request domain location|
|Hello, I’m a bot|