Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Dridex Takedown Might Show Evidence Of Good Guys Gains

Researchers believe Dridex swooped in to fill Gameover Zeus' hole in the black market, but it didn't have time to grow as big as its predecessor before being stopped.

As authorities with the FBI warned computer users yesterday to be on alert for Bugat/Dridex botnet malware, the judicial system cranked up to take a legal stand against the criminals that used the botnet to run their illegal enterprises. This included a cooperative effort by U.K. and U.S. government and private sector organizations to disrupt the botnet infrastructure, but also a nine-count indictment unsealed Tuesday by the U.S. Department of Justice against Moldovan criminal Andrey Ghinkul (aka Smilex), arrested Aug. 28 in Cyprus.

"Our relationships with counterparts all around the world are helping us go after both malicious hackers and their malware," said Leslie Caldwell, assistant attorney general for the DoJ's Criminal Division. "The Bugat/Dridex botnet, run by criminals in Moldova and elsewhere, harmed American citizens and entities. With our partners here and overseas, we will shut down these cross-border criminal schemes.”

While there will certainly be more where this botnet came from, like any other takedown this one offers good reason for celebration, believes Jeff Williams, director of security strategy, Dell SecureWorks Counter Threat Unit (CTU).

“Every partnership between industry and law enforcement which results in both the technical takedown of a threat and the arrest of parties responsible is a significant event,” Williams says.

Trend Micro researchers agreed, explaining the effort it took to take Dridex head-on wasn’t insignificant.

“Taking down cybercriminals is no small feat,” wrote Michael Marcos and Rhena Inocencio of Trend Micro. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise.”

Yesterday’s action was the next natural move for the good guys after the massive Gameover Zeus takedown, which had left a void in the underworld that Dridex’s masterminds had been trying to fill, Williams says. According to the experts at SecureWorks, the techniques used by Dridex overlapped considerably with Gameover Zeus, but the botnet itself never quite reached the level of sophistication or scale that its predecessor did. This may be a sign that these types of takedown efforts are actually making cumulative gains against the underworld.

“It may be that the arrests remove necessary skill sets from practice, making any subsequent attempt less successful,” says Williams. “The latter is similar to what we saw in Dridex filling the gap left by Gameover Zeus.  Dridex's infrastructure was less challenging.”

Nevertheless, Dridex did make gains in architecture and business models, says Trend Micro researchers, who explained that its botnet-as-a-service model and peer-to-peer architecture set it apart.  

“The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture,” wrote Marcos and Inocenci. “Learning from the GoZ takedown, creators of DRIDEX added another layer in its architecture before the command-and-control (C&C) server.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.