Administrators are in jail, Dridex/Bugat botnet may be still alive

US authorities filed charges against the administrators of the Dridex botnet and stated they had disrupted the international criminal conspiracy. But the authorities seem to have not completely shut down the elusive botnet.

Avira researchers report that the botnet still appears to be partially operational. “I tested our Botchecker with a sample from yesterday, and I found a first stage node was still responding and delivering the main Dridex component and a list of second stage nodes,” reported Moritz Kroll, malware researcher at Avira.

It can be hard to kill a botnet. “I knew about the arrest in August. The botnet then went down but suddenly in October it came up again,” he added. “It will be interesting to see if this is really down again or not.”

The botnet is believed to have stolen at least $10 million in the US alone. The takedown was international in scope: The two alleged administrators of the botnet are from Moldova, they were arrested in Cyprus, and the charges were filed in Pennsylvania, USA.

Administrators are in jail, but the #Dridex / #Bugat #botnet may be still alive, say Avira researchers

Tweet

Dridex was seen globally. “The botnet was pretty active,” said Ayoub Faouzi, malware researcher at Avira. “We have seen a lot of malware samples coming from this botnet.” Categorized by Avira as banking malware. “Dridex was focused on stealing sensitive user information and banking credentials so we kept a close eye on it,” Faouzi explained.

The US Department of Justice characterized Dridex as a “multifunction malware package” that used keystroke loggers and web injects. They also pointed out that Dridex was specifically designed to defeat antivirus and other protective measures.

“Dridex used a lot of cryptors and packers to hide itself,” explained Kroll. “We reverse engineered it and were able to identify the entry points into the botnet. And, by writing a botchecker for Dridex, we have been able to use this botnet as an automatic source of new C&C IPs and malware components.”

Exit mobile version