Banking Trojan Dridex, spread over a botnet around the world, has been keeping security and law enforcement agencies on their toes for quite a long while. The FBI and British National Crime Agency (NCA) managed to strike a blow against the botnet in October and allegedly took down the Command & Control (C&C) server located somewhere in Eastern Europe. The server handled communication with infected PCs, taking it offline disabled the bot net and things come to a standstill. The FBI was able to redirect traffic between infected PCs and the C&C servers, meaning the criminals weren't able to communicate with the trojans anymore, but the trojan still resided on the infected PCs. In Cyprus, police arrested the suspected ringleader Andrey Ghinkul aka "Smilex", who can now wait behind bars until he is extradited to the US. However, security researchers have claimed the botnet has increased its activity in the last couple of weeks.
The Dridex trojan is directed exclusively against Windows systems and is usually spread over phishing emails with infected Word documents attached. Variuos macros in a Word document automatically download and install the malicious software in the background. If a computer is infected, the trojan not only tries to further spread the malicious software, but also logs credentials, cookies, certificates and further data in order to hijack back accounts and transfer money to its programmers. Dridex is estimated to have caused damages of up to 10 million US dollars in Germany and the USA alone. The botnet is spread worldwide - the majority of infected bot systems available are located in the USA, France and the Philippines.
Dridex downloads Avira Installer
However, it appears as if the botnet has now been hacked. As security researchers discovered today, the infected Word files have been rewritten so that it no longer download the malicious software, but a validated version of the antivirus software Avira. Who is behind this action is not known. Avira itself assumes that it could be the work of a so-called whitehat hacker who is using the same vulnerability, but has replaced the malicious code with a link to the Avira installer. Although this has certainly made things more complicated for the Dridex gang and theoretically provides more safety, such activities is illegal in numerous countries, a reason why white hat hackers enjoy hiding their identity and remain unknown.
The internet certainly is a battleground, and black hats not only have to deal with the police, but also white hats.