Takedown: Police Seize Botnet Servers

Friday, October 16, 2015 @ 04:10 PM gHale

The Dridex botnet has met its match – at least for now – as law enforcement agencies in the U.S. and Europe united with private security firms to bring it down.

Dridex, a successor of the Trojan known as Cridex, Feodo and Bugat, uses web injects and other techniques to steal users’ personal and financial information, which bad guys can use to commit fraud.

Botnet Protects Against Malware
Trojan Suspects Arrested
Security Intern Guilty for Selling Malware
Guilty: Darkode Member Faces 3 Years

The malware had mainly gone out via malicious Microsoft Word documents attached to spam emails.

The attack has found victims across the globe, but the heaviest concentration has been in the U.S. and the UK with losses caused by the botnet estimated at $10 million in the U.S. and $30 million in the UK.

The Dridex botnet is actually multiple sub-botnets and uses a peer-to-peer (P2P) network for communications. It appears the Dridex network is a hybrid between a centralized and a decentralized network since peer lists and configuration files end up distributed centrally by backend servers, said researchers at Dell SecureWorks in a blog post and who assisted law enforcement agencies.

This allowed cybercrime fighters to poison the P2P network of each Dridex sub-botnet and redirect infected systems to a sinkhole.

“Threat actors created botnets such as Dridex to fill the void left by the takedown of the Gameover Zeus botnet in May 2014 as part of Operation Tovar,” the Dell SecureWorks Counter Threat Unit research team said. “Despite a significant overlap in tactics, techniques, and procedures (TTPs), Dridex never rivaled the sophistication, size, and success of Gameover Zeus. This operation took advantage of weaknesses in Dridex’s hybrid P2P architecture to take over the botnet.”

The FBI also said an administrator of the Dridex botnet, 30-year-old Moldovan national Andrey Ghinkul, aka “Andrei Ghincul” and “Smilex,” ended up arrested in Cyprus on August 28. Authorities look to extradite Ghinkul to the U.S. where he will face nine counts of criminal conspiracy, damaging a computer, unauthorized computer access with intent to defraud, wire fraud, and bank fraud.

Police said Ghinkul was a part of a criminal conspiracy that leveraged Dridex to steal banking credentials used to transfer money from victims’ accounts to the accounts of money mules. The FBI said the suspects attempted to steal nearly $1 million from a Pennsylvania School District, and managed to transfer roughly $3.5 million from the accounts of Delmont, PA-based oil and gas exploration company Penneco Oil.

The United States Computer Emergency Readiness Team (US-CERT) has published an advisory containing information on how to remove Dridex infections.

The operation aimed at the Dridex botnet ended up conducted by the FBI in collaboration with Europol’s European Cybercrime Centre (EC3) and authorities in the UK, Germany and Moldova. The list of private sector organizations that contributed to the disruption of the threat includes Fox-IT, S21sec, Abuse.ch, Spamhaus, the Shadowserver Foundation, and Trend Micro.