Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Online 'Batman' Takes On Dridex Banking Trojan Operators

Several Dridex malware download sites have begun mysteriously serving up antivirus software instead.

Evil Corp. -- the criminal hacking group that owns and operates the especially nasty Dridex banking Trojan -- may have run into a Batman of sorts on the Internet.

Someone or some group appears to have disrupted at least part of the channel that distributes the malware and replaced the malicious links with installers for an antivirus tool instead. Basically, the server files behind the Dridex download URL in some locations have been swapped with original, up-to-date versions of the Web installer for Avira antivirus, according to Avira Operations, the German company that makes the software.

So users who click on malicious links distributed by the affected download locations get Avira’s antivirus tool instead of the banking Trojan. Whoever is behind the deed has apparently been leaving a calling card of sorts on the compromised Dridex sites, with somewhat cryptic references to "owner," "pwner,"and "host," Avira said in a statement on the development.

Avira says that it is not behind the caper and is unsure why the online do-gooder may have chosen its product to defend potential victims of the banking Trojan.

“We think it’s the Batman philosophy and way of life--help people, doing the right stuff with maybe not-so-legal methods,” says Moritz Kroll, malware expert with Avira. “I really think it is a hacker who has discovered how to do a good thing but perhaps with not strictly legal methods.”

Dridex is a banking Trojan that originally began spreading in 2014 and has since stubbornly resisted all efforts to eradicate it. It's typically distributed as a malicious attachment—often a Word document with malicious macros—in spam email.

When the document is opened, the macros download Dridex from a remote server, which often has been previously compromised as well. Once installed on a computer, Dridex basically waits until the user attempts to log into certain banking websites. Dridex currently targets customers of a growing list of major, mostly European, banks including Barclays, Santander, RBS, HSBC, Deutsche Bank, and Wells Fargo.

When a Dridex victim attempts to log into any of these banks, the malware quickly intercepts the communication and redirects the user to a spoofed Web page designed to look exactly like the actual banking website. The goal is to steal the account log-in details so the criminals can conduct fraudulent transactions on the account.

Dridex and its operators have grabbed the attention of security researchers and law enforcement for their persistence. There was considerable elation last October when the FBI and law enforcement in the UK took down several of the servers and botnet infrastructure being used to distribute the Trojan. But it didn’t take long for the malware to reemerge and continue with its campaign. IBM and others recently warned about an intensification of attacks involving Dridex.

But the appearance of Dridex download sites serving up Avira antivirus suggests that someone is trying to disrupt the malware campaign, even if not in a strictly legitimate way.

“If you think about it, there was a huge media announcement when Dridex was taken down by the government authorities and a much smaller level of reporting on its return to the marketplace,” Kroll says. “That has got to be frustrating to some and might cause them to think, ‘the government tried to take it down, they could not, I can do something myself.'"

This is not the first time that an apparent online vigilante has stepped in to try and disrupt a malware operation. Last October, Symantec reported on a software tool, that it dubbed Linux.Wifatch, being used to silently secure improperly protected home routers and Internet connected devices.

Symantec described Wifatch as malware with hardcoded routines that appeared designed to harden compromised devices and to detect and remove any malware that might be present on them. The security vendor estimated that a white hat hacker or hackers had silently installed Wifatch on potentially tens of thousands of home routers in an apparent bid to protect the devices against malware.

“Someone went in, patched the security holes, then added a backdoor whereby the routers could receive regular updates of some signatures for detecting malware on these systems,” Kroll says, referring to Wifatch.

Avira started as a free antivirus company and still largely remains that way, although it offers a premium version of the software as well.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/16/2016 | 9:17:05 AM
it is a government agent or agency that is the Batman. 
User Rank: Apprentice
2/8/2016 | 9:39:31 AM
Re: Vigilante
"I'm not going to kill you. I want you to do me a favor. I want you to tell all your friends about me."


"I'm Batman."
User Rank: Ninja
2/8/2016 | 8:01:27 AM
As much as we shouldn't really encourage vigilantism, the internet is still very much the wild west. The authorities are starting to take it more in hand, but until people can be more safe online within their own small communities, it seems like we need Batmans like this from time to time to help stamp out the evil doers. 
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a service.