Endpoint
2/5/2016
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Online 'Batman' Takes On Dridex Banking Trojan Operators

Several Dridex malware download sites have begun mysteriously serving up antivirus software instead.

Evil Corp. -- the criminal hacking group that owns and operates the especially nasty Dridex banking Trojan -- may have run into a Batman of sorts on the Internet.

Someone or some group appears to have disrupted at least part of the channel that distributes the malware and replaced the malicious links with installers for an antivirus tool instead. Basically, the server files behind the Dridex download URL in some locations have been swapped with original, up-to-date versions of the Web installer for Avira antivirus, according to Avira Operations, the German company that makes the software.

So users who click on malicious links distributed by the affected download locations get Avira’s antivirus tool instead of the banking Trojan. Whoever is behind the deed has apparently been leaving a calling card of sorts on the compromised Dridex sites, with somewhat cryptic references to "owner," "pwner,"and "host," Avira said in a statement on the development.

Avira says that it is not behind the caper and is unsure why the online do-gooder may have chosen its product to defend potential victims of the banking Trojan.

“We think it’s the Batman philosophy and way of life--help people, doing the right stuff with maybe not-so-legal methods,” says Moritz Kroll, malware expert with Avira. “I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods.”

Dridex is a banking Trojan that originally began spreading in 2014 and has since stubbornly resisted all efforts to eradicate it. It's typically distributed as a malicious attachment—often a Word document with malicious macros—in spam email.

When the document is opened, the macros download Dridex from a remote server, which often has been previously compromised as well. Once installed on a computer, Dridex basically waits until the user attempts to log into certain banking websites. Dridex currently targets customers of a growing list of major, mostly European, banks including Barclays, Santander, RBS, HSBC, Deutsche Bank, and Wells Fargo.

When a Dridex victim attempts to log into any of these banks, the malware quickly intercepts the communication and redirects the user to a spoofed Web page designed to look exactly like the actual banking website. The goal is to steal the account log-in details so the criminals can conduct fraudulent transactions on the account.

Dridex and its operators have grabbed the attention of security researchers and law enforcement for their persistence. There was considerable elation last October when the FBI and law enforcement in the UK took down several of the servers and botnet infrastructure being used to distribute the Trojan. But it didn’t take long for the malware to reemerge and continue with its campaign. IBM and others recently warned about an intensification of attacks involving Dridex.

But the appearance of Dridex download sites serving up Avira antivirus suggests that someone is trying to disrupt the malware campaign, even if not in a strictly legitimate way.

“If you think about it, there was a huge media announcement when Dridex was taken down by the government authorities and a much smaller level of reporting on its return to the marketplace,” Kroll says. “That has got to be frustrating to some and might cause them to think, ‘the government tried to take it down, they could not, I can do something myself.'"

This is not the first time that an apparent online vigilante has stepped in to try and disrupt a malware operation. Last October, Symantec reported on a software tool, that it dubbed Linux.Wifatch, being used to silently secure improperly protected home routers and Internet connected devices.

Symantec described Wifatch as malware with hardcoded routines that appeared designed to harden compromised devices and to detect and remove any malware that might be present on them. The security vendor estimated that a white hat hacker or hackers had silently installed Wifatch on potentially tens of thousands of home routers in an apparent bid to protect the devices against malware.

“Someone went in, patched the security holes, then added a backdoor whereby the routers could receive regular updates of some signatures for detecting malware on these systems,” Kroll says, referring to Wifatch.

Avira started as a free antivirus company and still largely remains that way, although it offers a premium version of the software as well.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DougA987
50%
50%
DougA987,
User Rank: Apprentice
2/16/2016 | 9:17:05 AM
Perhaps
it is a government agent or agency that is the Batman. 
Andacar
50%
50%
Andacar,
User Rank: Apprentice
2/8/2016 | 9:39:31 AM
Re: Vigilante
"I'm not going to kill you. I want you to do me a favor. I want you to tell all your friends about me."

"WHO ARE YOU MAN? WHO ARE YOU?"

"I'm Batman."
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/8/2016 | 8:01:27 AM
Vigilante
As much as we shouldn't really encourage vigilantism, the internet is still very much the wild west. The authorities are starting to take it more in hand, but until people can be more safe online within their own small communities, it seems like we need Batmans like this from time to time to help stamp out the evil doers. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.