As authorities with the FBI warned computer users yesterday to be on alert for Bugat/Dridex botnet malware, the judicial system cranked up to take a legal stand against the criminals that used the botnet to run their illegal enterprises. This included a cooperative effort by U.K. and U.S. government and private sector organizations to disrupt the botnet infrastructure, but also a nine-count indictment unsealed Tuesday by the U.S. Department of Justice against Moldovan criminal Andrey Ghinkul (aka Smilex), arrested Aug. 28 in Cyprus.
"Our relationships with counterparts all around the world are helping us go after both malicious hackers and their malware," said Leslie Caldwell, assistant attorney general for the DoJ's Criminal Division. "The Bugat/Dridex botnet, run by criminals in Moldova and elsewhere, harmed American citizens and entities. With our partners here and overseas, we will shut down these cross-border criminal schemes.”
While there will certainly be more where this botnet came from, like any other takedown this one offers good reason for celebration, believes Jeff Williams, director of security strategy, Dell SecureWorks Counter Threat Unit (CTU).
“Every partnership between industry and law enforcement which results in both the technical takedown of a threat and the arrest of parties responsible is a significant event,” Williams says.
Trend Micro researchers agreed, explaining the effort it took to take Dridex head-on wasn’t insignificant.
“Taking down cybercriminals is no small feat,” wrote Michael Marcos and Rhena Inocencio of Trend Micro. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise.”
Yesterday’s action was the next natural move for the good guys after the massive Gameover Zeus takedown, which had left a void in the underworld that Dridex’s masterminds had been trying to fill, Williams says. According to the experts at SecureWorks, the techniques used by Dridex overlapped considerably with Gameover Zeus, but the botnet itself never quite reached the level of sophistication or scale that its predecessor did. This may be a sign that these types of takedown efforts are actually making cumulative gains against the underworld.
“It may be that the arrests remove necessary skill sets from practice, making any subsequent attempt less successful,” says Williams. “The latter is similar to what we saw in Dridex filling the gap left by Gameover Zeus. Dridex's infrastructure was less challenging.”
Nevertheless, Dridex did make gains in architecture and business models, says Trend Micro researchers, who explained that its botnet-as-a-service model and peer-to-peer architecture set it apart.
“The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture,” wrote Marcos and Inocenci. “Learning from the GoZ takedown, creators of DRIDEX added another layer in its architecture before the command-and-control (C&C) server.”