Researchers Dig into Botnet

Tuesday, April 12, 2016 @ 11:04 AM gHale


Sometimes it is sweet revenge when a researcher can get into a malware’s innards and figure out how it operates.

That is just what security researchers from buguroo did as they got into one of Dridex’s admin panels and hacked its backend, retrieved user data and kept an eye on its activity.

RELATED STORIES
Bot Targets Routers, Embedded IoT Devices
Honeypots Discover Multiple Botnets
Ransomware Uses Viewing App in Attack
Hole Found in Ransomware

Their investigation started in January, when their bugFraud Defense endpoint protection system detected a classic Dridex alert, related to Web injections taking place in the user’s browser, where Dridex’s malware was loading malicious JavaScript on banking websites in order to steal authentication credentials.

Analyzing the alerts, researchers found the IP address of one of the Dridex admin panels hardcoded in the malicious JavaScript files used to hijack the user’s browser.

Because Dridex operations carry out on such a massive scale, the attackers behind this huge botnet use multiple smaller infrastructures, which security researchers call subnets. This fractured architecture makes it harder to detect Dridex’s operations for security firms, and also harder to sinkhole the infrastructure.

Researchers did find the admin panel of a Dridex section previously known as Subnet 220. Luck had it that this subnet was running an older version of the Dridex backend, in which researchers found some weaknesses.

This vulnerability allowed researchers to crack open Subnet 220’s admin panel and take a look inside. By recovering the data found inside this backend, buguroo researchers were able to determine the scale at which these crooks operate, along with discovering new techniques used in more recent attacks.

Researchers said Dridex attackers operate in short-burst campaigns, and launch multiple attacks at various intervals. On average, attackers collect 16,000 credit card numbers per campaign, from which they steal around $500 from each victim.

Since banks detect and block these illicit transactions in 90 percent of cases, this means that crooks pocket around $800,000 per each campaign.