The Dridex botnet ain’t done yet, say researchers

David bisson
David Bisson

LadybugSecurity researchers are finding signs that a botnet responsible for infecting computers with the banking malware Dridex might still be functioning despite a recent international takedown.

Moritz Kroll, a malware researcher at Avira, has found that parts of the Dridex botnet appear to still be functioning.

“I tested our Botchecker with a sample from yesterday, and I found a first stage node was still responding and delivering the main Dridex component and a list of second stage nodes,” reported Kroll in a blog post for the security firm.

A brief history lesson might be in order.

Sign up to our free newsletter.
Security news, advice, and tips.

According to CNN Money, researchers with Dell SecureWorks first spotted Bugat, banking malware that steals users’ login credentials, back in 2010.

Since then, the malware has evolved into Cridex and then Dridex.

Up until recently, the latter of these two iterations was sending out approximately 350,000 spam emails laced with malware each day via a massive botnet distribution system.


It is believed that the malware has caused $40 million in losses worldwide, which includes some £20 million stolen from UK account holders.

Things began to change over the summer when Andrey Ghinkul, 30, of Moldova, was arrested and charged in a nine-count indictment for his role as an administrator of the Dridex botnet.

Shortly thereafter, researchers at Fujitsu uncovered a database of 385 million email addresses about a month after Ghinkul’s arrest. These addresses, the researchers concluded, were being targeted by the botnet’s administrators, presumably with the intention of stealing financial information.

This brings us up to earlier in October of this year, when the UK’s UK’s National Crime Agency partnered with the FBI and other security partners in an effort to sinkhole the malware and damage the botnet’s ability to communicate with infected computers.

“This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to made,” Mike Hulett, head of operations at the NCA’s National Cyber Crime Unit (NCCU) said in a press release, as quoted by CNBC News.

These joint international efforts ultimately led to the seizure of multiple servers used by Dridex – a sizeable blow to the botnet’s command and control (C&C) framework.

According to Kroll, however, Dridex might not be done just yet. In fact, as reported by The Register, new versions of the malware were spotted as recently as October 16th and 20th.

To combat Dridex, the FBI is working with at least 12 different agencies and security vendors. Its investigation is currently ongoing.

Example of Dridex email. Source: Symantec
Example of Dridex email. Source: Symantec

Dridex might be a serious threat. However, general security tips, such as maintaining an updated anti-virus program on your computer, can help keep you safe against this threat. I also recommend that users exercise special caution when opening unsolicited Microsoft Word and Excel email attachments, and that they disable macros in Microsoft Office.

Users who believe they are infected with the Dridex botnet can find out more in this advisory provided by the United States Computer Emergency Readiness Team.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.