Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Dridex Takedown Might Show Evidence Of Good Guys’ Gains

Researchers believe Dridex swooped in to fill Gameover Zeus' hole in the black market, but it didn't have time to grow as big as its predecessor before being stopped.

As authorities with the FBI warned computer users yesterday to be on alert for Bugat/Dridex botnet malware, the judicial system cranked up to take a legal stand against the criminals that used the botnet to run their illegal enterprises. This included a cooperative effort by U.K. and U.S. government and private sector organizations to disrupt the botnet infrastructure, but also a nine-count indictment unsealed Tuesday by the U.S. Department of Justice against Moldovan criminal Andrey Ghinkul (aka Smilex), arrested Aug. 28 in Cyprus.

"Our relationships with counterparts all around the world are helping us go after both malicious hackers and their malware," said Leslie Caldwell, assistant attorney general for the DoJ's Criminal Division. "The Bugat/Dridex botnet, run by criminals in Moldova and elsewhere, harmed American citizens and entities. With our partners here and overseas, we will shut down these cross-border criminal schemes.”

While there will certainly be more where this botnet came from, like any other takedown this one offers good reason for celebration, believes Jeff Williams, director of security strategy, Dell SecureWorks Counter Threat Unit (CTU).

“Every partnership between industry and law enforcement which results in both the technical takedown of a threat and the arrest of parties responsible is a significant event,” Williams says.

Trend Micro researchers agreed, explaining the effort it took to take Dridex head-on wasn’t insignificant.

“Taking down cybercriminals is no small feat,” wrote Michael Marcos and Rhena Inocencio of Trend Micro. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise.”

Yesterday’s action was the next natural move for the good guys after the massive Gameover Zeus takedown, which had left a void in the underworld that Dridex’s masterminds had been trying to fill, Williams says. According to the experts at SecureWorks, the techniques used by Dridex overlapped considerably with Gameover Zeus, but the botnet itself never quite reached the level of sophistication or scale that its predecessor did. This may be a sign that these types of takedown efforts are actually making cumulative gains against the underworld.

“It may be that the arrests remove necessary skill sets from practice, making any subsequent attempt less successful,” says Williams. “The latter is similar to what we saw in Dridex filling the gap left by Gameover Zeus.  Dridex's infrastructure was less challenging.”

Nevertheless, Dridex did make gains in architecture and business models, says Trend Micro researchers, who explained that its botnet-as-a-service model and peer-to-peer architecture set it apart.  

“The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture,” wrote Marcos and Inocenci. “Learning from the GoZ takedown, creators of DRIDEX added another layer in its architecture before the command-and-control (C&C) server.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.