05:30 PM
Connect Directly

Online 'Batman' Takes On Dridex Banking Trojan Operators

Several Dridex malware download sites have begun mysteriously serving up antivirus software instead.

Evil Corp. -- the criminal hacking group that owns and operates the especially nasty Dridex banking Trojan -- may have run into a Batman of sorts on the Internet.

Someone or some group appears to have disrupted at least part of the channel that distributes the malware and replaced the malicious links with installers for an antivirus tool instead. Basically, the server files behind the Dridex download URL in some locations have been swapped with original, up-to-date versions of the Web installer for Avira antivirus, according to Avira Operations, the German company that makes the software.

So users who click on malicious links distributed by the affected download locations get Avira’s antivirus tool instead of the banking Trojan. Whoever is behind the deed has apparently been leaving a calling card of sorts on the compromised Dridex sites, with somewhat cryptic references to "owner," "pwner,"and "host," Avira said in a statement on the development.

Avira says that it is not behind the caper and is unsure why the online do-gooder may have chosen its product to defend potential victims of the banking Trojan.

“We think it’s the Batman philosophy and way of life--help people, doing the right stuff with maybe not-so-legal methods,” says Moritz Kroll, malware expert with Avira. “I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods.”

Dridex is a banking Trojan that originally began spreading in 2014 and has since stubbornly resisted all efforts to eradicate it. It's typically distributed as a malicious attachment—often a Word document with malicious macros—in spam email.

When the document is opened, the macros download Dridex from a remote server, which often has been previously compromised as well. Once installed on a computer, Dridex basically waits until the user attempts to log into certain banking websites. Dridex currently targets customers of a growing list of major, mostly European, banks including Barclays, Santander, RBS, HSBC, Deutsche Bank, and Wells Fargo.

When a Dridex victim attempts to log into any of these banks, the malware quickly intercepts the communication and redirects the user to a spoofed Web page designed to look exactly like the actual banking website. The goal is to steal the account log-in details so the criminals can conduct fraudulent transactions on the account.

Dridex and its operators have grabbed the attention of security researchers and law enforcement for their persistence. There was considerable elation last October when the FBI and law enforcement in the UK took down several of the servers and botnet infrastructure being used to distribute the Trojan. But it didn’t take long for the malware to reemerge and continue with its campaign. IBM and others recently warned about an intensification of attacks involving Dridex.

But the appearance of Dridex download sites serving up Avira antivirus suggests that someone is trying to disrupt the malware campaign, even if not in a strictly legitimate way.

“If you think about it, there was a huge media announcement when Dridex was taken down by the government authorities and a much smaller level of reporting on its return to the marketplace,” Kroll says. “That has got to be frustrating to some and might cause them to think, ‘the government tried to take it down, they could not, I can do something myself.'"

This is not the first time that an apparent online vigilante has stepped in to try and disrupt a malware operation. Last October, Symantec reported on a software tool, that it dubbed Linux.Wifatch, being used to silently secure improperly protected home routers and Internet connected devices.

Symantec described Wifatch as malware with hardcoded routines that appeared designed to harden compromised devices and to detect and remove any malware that might be present on them. The security vendor estimated that a white hat hacker or hackers had silently installed Wifatch on potentially tens of thousands of home routers in an apparent bid to protect the devices against malware.

“Someone went in, patched the security holes, then added a backdoor whereby the routers could receive regular updates of some signatures for detecting malware on these systems,” Kroll says, referring to Wifatch.

Avira started as a free antivirus company and still largely remains that way, although it offers a premium version of the software as well.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/16/2016 | 9:17:05 AM
it is a government agent or agency that is the Batman. 
User Rank: Apprentice
2/8/2016 | 9:39:31 AM
Re: Vigilante
"I'm not going to kill you. I want you to do me a favor. I want you to tell all your friends about me."


"I'm Batman."
User Rank: Ninja
2/8/2016 | 8:01:27 AM
As much as we shouldn't really encourage vigilantism, the internet is still very much the wild west. The authorities are starting to take it more in hand, but until people can be more safe online within their own small communities, it seems like we need Batmans like this from time to time to help stamp out the evil doers. 
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.