Dridex Botnet Shows Signs of Rejuvenation

The infamous banking botnet 'Dridex' is beginning to show retrieval signs even after a sophisticated FBI (Federal Bureau of Investigation) led trouble campaign in early October 2015, reported theregister.com on October 20, 2015.

Servers linked with Dridex were apprehended in a synchronized operation on 13 September 2015 weeks after a suspected Moldovan cybercriminal, namely Andrey Ghinkul was detained in Cyprus in late August 2015.

But the destruction of the subtle botnet has fallen short of completely bringing it down, said security firm Avira recently.

Avira security researchers say that the botnet still seems to be somewhat operational.

As of 8:50 CET, October 16, (2015) a minimum of four Dridex second stage nodes were still found to be responding.

"The botnet is certainly still active," said Moritz Kroll, Malware Researcher with Avira, published blog.avira.com on October 16, 2015.

The edition of the key component I received is 3.124 and looks to have been generated on October 14, 2015.

The replies from Dridex established Kroll's doubts: The detention of the administrators and the recent takedown of the Dridex botnet may not have totally killed its operations. We now have to anticipate that the rest of the botnet will be 'all dead' in the coming time.

Dridex was centered on embezzling critical user details. The malware also inserts the system to the larger Dridex botnet, which permits its managers to converse with the maligned system via other systems, defending them from legal issues.

Subsequently, it sits on the tainted system, waiting to embezzle logins to high-priced services. Besides banking details, which are the chief target of the attack, it also keeps a watch for other login details like social media.

Kroll noted that tainted Word documents are still being circulated as spam notifications in attempts to taint fresh victims with Dridex as part of a continuing post-crackdown campaign, reported theregister.com on October 20, 2015.

We're also witnessing that the malware writers frequently release fresh versions of Dridex, said Kroll, who noted that new versions were witnessed on 16 October and then 20 October (2015).

So because the botnet is replying with fresh editions of the malware, we are possibly not chatting with the sinkholed nodes, he claimed.

» SPAMfighter News - 10/27/2015