Who is hanging Dridex out to dry?

 In ITC's Threat of the Week

Regular readers of this Blog will have heard us wittering on about the banking trojan Dridex (as well as Zeus and the mighty Vawtrak etc. etc.)

To refresh the addled minds of you, our readers, Dridex was/is a banking trojan that steals banking details from users machines. Following the arrest of a suspect (Andrey Ghinkul AKA Smilex, Mwahahaha) in Cyprus last year, the FBI announced a massive shutdown of command and control servers and there was much slapping of backs, American whoops of joy, you get the picture.

But all was not ok. An interesting thing about the Dridex code was that it deployed botnet tech on the victims, and not just one botnet. It seems that the Dridex villains were willing to deliver a number of bots, presumably for Bitcoin.

In December of last year, Moritz Kroll a researcher from Avira AntiVirus, channeling the crooked old healer from the Princess Bride film (Miracle Max), posted this:

Miracle Max, from the classic Princess Bride film, has some comments for the US authorities and their efforts to disrupt the Dridex/Bugat botnet.

“Mostly dead is slightly alive,” stated Miracle Max while reviving Westley.

As of 8:50 CET, October 16, at least four Dridex second stage nodes are still responding. “The botnet is definitely still active,” pointed out Moritz Kroll, malware researcher at Avira. “The version of the main component I received is 3.124 and seems to have been created on 2015-10-14”.

Wind the clock forward to this week and something very, very strange is happening. Users who become victim of the Dridex code no longer download bad code, oh no. They are redirected to download none other than Avira AntiVirus software and prompted to download a pukka, signed copy of the same.

The very same Moritz Kroll (yes, him who referenced Miracle Max the healer) is claiming that although Avira has its theories about who is behind this, “This is certainly not something we are doing ourselves”.

Well there really is a thing isn’t there. Although we definitely do believe in fairies here at ITC towers, coincidences less so, and we have never worked out which came first, the chicken or the egg.

Avira is actually pretty good protection, especially for free and we would love to believe that this story is all about altruism. But we doubt it.

If you would like to know more about defending yourself or your business from these really nasty malwares, please get in touch with us at: 020 7517 3900 or email us at enquiries@itcsecure.com.

 

Author: Kevin Whelan

Recent Posts

Leave a Comment