On October 13, American and British law enforcement took action against the notorious DRIDEX botnet with the goal of stopping the activities of the notorious online banking threat. U.S. Attorney David J. Hickton of the Western District of Pennsylvania called the operation a “technical disruption and a blow to one of the most pernicious malware threats in the world.”
The National Crime Agency, meanwhile, called the operation “part of a sustained and ongoing campaign targeting multiple versions of Dridex and the cyber criminals behind it, who operate in hard to reach parts of the world.”
While these actions have knocked DRIDEX off its feet, the malware is far from dead. After the takedown of DRIDEX, we estimate that the number of affected users has fallen to 24% of the pre-takedown numbers. This is based on the number of DRIDEX infections seen in the wild in two-week periods both immediately before and immediately after the takedown.
Looking more closely at this data, the distribution of victims has slightly changed as well. In particular, the percentage of US victims fell significantly, going from almost 30% of victims in the period just before the takedown to less than 14% immediately after:
Figure 1. Distribution of victims, pre-takedown
Figure 2. Distribution of victims, post-takedown
However, while DRIDEX was hurt by this operation, not all of its servers were shut down. Servers outside of the reach or knowledge of the law enforcement agencies above continued to function. In addition, only one member of the DRIDEX gang was arrested – a system administrator named Andrey Ghinkul. Other members remained at large and have continued their activities. We have already seen new variants deployed with no drastic changes (aside from changes to new C&C servers).
DRIDEX uses a service model that may have helped it survive this particular operation. It is designed as a botnet as a service (BaaS) – in effect, it is made up of multiple botnets that each have different configuration files. In addition, it attempts to hide its tracks – it uses a peer-to-peer architecture (like Gameover ZeuS) to hide its C&C servers, as well as multiple routines on the endpoint to hide its activity. Taken together, this makes DRIDEX fairly resilient to disruption.
Takedowns like these are effective in disrupting the activities of cybercrime operations in the short term, but success in the longer term is not always assured. They have the effect of removing the least effective threats from the scene and letting cybercriminals learn from their mistakes. Arrests are needed to truly halt cybercrime activity.
DRIDEX was hurt by this takedown, but it’s not finished as a threat. We will continue to monitor its activity in order to protect our users, as well as provide any information we gather to the appropriate law enforcement agencies.
Additional analysis by Anthony Joe Melgarejo and Michael Marcos