Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Dell SecureWorks Teams with the FBI, the NCA and Shadowserver to Seize the Dridex (Bugat v5) Botnet
Posted on 17-Oct-2015 11:30 | Tags Filed under: News

Security researchers with Dell SecureWorks Counter Threat Unit (CTU) have teamed with the FBI, the U.K. National Crime Agency (NCA) and the Shadowserver Foundation to take over the Dridex botnet. Authorities have linked the botnet to an estimated £20m (roughly $30.5 million US) in losses in the U.K., and at least $10 million in losses in the United States.

However, the CTU predicts the losses are higher as Dridex botnet operators and their affiliates have targeted customers of countless financial institutions – both large and small – (banks, credit card companies and popular online payment services) in 27 different countries located across North America, Europe, Middle East, Asia and the South Pacific (including Australia and New Zealand). Dridex infections are especially significant in the United Kingdom, U.S. and France.

The Dridex Banking Trojan (known by the CTU as Bugat v5) has infected tens of thousands of computers worldwide and targets financial credentials, certificates, cookies and other information from the computer systems of users with the goal of committing Automated Clearing House (ACH) transactions and wire fraud. ACH is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches.

The CTU research team first investigated the Dridex Banking Trojan in July 2014. They found that Dridex was built using the source code of another banking Trojan known as Bugat (also referred to as Cridex). Despite this, Dridex is distinct from other Bugat variants due to its modular architecture and its use of a hybrid peer-to-peer (P2P) network to obfuscate its backend infrastructure and make takedown attempts more difficult. The Dridex P2P network is a hybrid between a centralised and decentralised network, with peer lists and configuration files distributed by the backend servers rather than exchanged directly between peers. Binary updates and modules are exchange autonomously between peers in the network, which reduces some of the load on the backend.

The Dridex banking malware is distributed through spam emails utilising various lures. In the past, some of the spam email attachments exploited vulnerabilities. More recently however, the Dridex attackers have used Microsoft Word macros (a function in Word which provides for a series of commands and instructions, grouped together as a single command, to accomplish a task automatically). After the target opens the Word document, the macro attempts to download and execute the Dridex loader, which in turn installs the other botnet components. There are four main components of the Dridex Banking Trojan:
  • Loader — downloads the core module and an initial node list to join the P2P network
  • Core module — performs the malware’s core functions (harvesting credentials, performing man-in-the-browser attacks using web injects, downloading the VNC and backconnect modules, etc.)
  • VNC module — allows the attacker to remotely view and control a victim’s computer. This is a standard tool used by many banking trojans because it allows the attacker to use a victim’s computer to connect to a financial institution’s website. Certainly using the same IP address, web browser and cookies as the legitimate user makes the fraudulent activities harder to detect. 
  • Backconnect module — allows the attacker to tunnel network traffic through a victim’s computer

The threat group, which developed the Dridex Banking Trojan source code and controls the botnet, is believed to be out of Eastern Europe. Similar to the Peer to Peer Gameover Zeus Botnet (which the CTU assisted Law Enforcement in taking down in May 2014) and to the Gozi Neverquest Botnet , the Dridex Botnet operates an affiliate model. Thus, the Dridex Botnet is partitioned into sub-botnets, and each affiliate is given access to its own subset of bots. The CTU has observed 13 Dridex sub-botnets.

The CTU began tracking Dridex in July 2014 and to date has captured 359 unique configuration files, with 414 active web inject targets, for the botnet. The web injects used by Dridex vary depending on the targets of the particular sub-botnet, and some of the web injects are region specific.

In collaboration with the NCA, the FBI, and the Shadowserver Foundation, CTU researchers developed and executed a technical strategy to take over the Dridex botnet by poisoning each sub-botnet’s P2P network and redirecting infected systems to a sinkhole. Essentially, this ensured that all the infected computers of the Dridex botnet are no longer under the control of the Dridex operators and their affiliates. Thus, they cannot continue to compromise their information and control their computer.

“The takedown of the Gameover Zeus botnet in June2014 as part of Operation Tovar left a void in the cybercriminal community, particularly for those targeting financial institutions,” Brett Stone-Gross of Dell SecureWorks’ Counter Threat Unit explained.

“To fill this gap, threat actors created new botnets, including Dridex and Dyre. CTU researchers have observed a significant overlap in the tactics, techniques, and procedures (TTPs) between Gameover Zeus and both Dridex and Dyre, indicating previous affiliates had moved on to new botnet business ventures and were continuing to carry out their fraudulent activities. However, neither Dridex or Dyre have been able to rival the sophistication, size, and success of Gameover Zeus.”

More information:

comments powered by Disqus

Trending now »

Hot discussions in our forums right now:

Bombing at Manchester concert, 19 dead
Created by Rikkitic, last reply by frankv on 26-May-2017 21:09 (151 replies)
Pages... 9 10 11

Tax Cuts
Created by tdgeek, last reply by Sam91 on 26-May-2017 19:31 (53 replies)
Pages... 2 3 4

Tipping? Please no!
Created by BlueShift, last reply by lxsw20 on 26-May-2017 23:33 (103 replies)
Pages... 5 6 7

Father banned from watching daughter's netball game: what you think of this?
Created by Rikkitic, last reply by frankv on 25-May-2017 16:29 (136 replies)
Pages... 8 9 10

Created by Linuxluver, last reply by reg52nz on 25-May-2017 16:29 (113 replies)
Pages... 6 7 8

The President Of The USA: Donald Trump
Created by TimA, last reply by tdgeek on 26-May-2017 21:48 (4363 replies)
Pages... 289 290 291

Variable speeds on Fibre Max
Created by kapitikarl, last reply by sidefx on 26-May-2017 15:51 (43 replies)
Pages... 2 3

Northwest motorway and waterview connection
Created by gzt, last reply by cadman on 26-May-2017 23:51 (13 replies)