Despite Takedown, the Dridex Botnet Is Running Again (sans.edu)

← Back to Stories (view on slashdot.org)

Despite Takedown, the Dridex Botnet Is Running Again (sans.edu)

Posted by timothy on Monday October 26, 2015 @02:24AM from the down-but-sadly-not-out dept.

itwbennett writes: Brad Duncan, a security researcher with Rackspace, on Friday wrote on the Internet Storm Center blog that 'the Dridex botnet administrator was arrested on 2015-08-28, and Palo Alto Networks reported Dridex was back by 2015-10-01. That represents an outage of approximately one month.' The lesson here, writes Jeremy Kirk in an article on CSOonline is that 'while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'

57 comments

Min score:

Reason:

Sort:

they should by Anonymous Coward · 2015-10-26 02:40 · Score: 0

They should cut the hard line to the main frame
1. Re:they should by Z00L00K · 2015-10-26 04:20 · Score: 1
  
  You mean call in the department for wet jobs?
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
You cannot succeed by Opportunist · 2015-10-26 02:43 · Score: 3, Interesting

At least not until you take care of the root of the problem: The bots. People who run unpatched, unsecured boxes on fat pipes with no regard for the safety of others. Hell, not even of themselves.
Get people liable for the shit their boxes do and you'll see this problem cease within months.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:You cannot succeed by Anonymous Coward · 2015-10-26 02:49 · Score: 5, Interesting
  
  So if your grandma gets hacked we should sue her and throw her in jail?
  How about we hold Microsoft accountable for the shitty fucking security in their operating system?
  That's the real problem here.
2. Re:You cannot succeed by Gr8Apes · 2015-10-26 03:00 · Score: 1
  
  I'd have to agree with the AC here - MS should be held accountable for this issue, otherwise you are really arguing people should be held liable for running MS OSes. After all, MS is the (major) problem. Of course, if it wasn't MS, it'd be something else, but MS has the biggest footprint and also happens to be easiest target to compromise - perfect for botnets.
  
  --
  The cesspool just got a check and balance.
3. Re:You cannot succeed by khasim · 2015-10-26 03:13 · Score: 2
  
  A different outlook:
  http://swiftonsecurity.tumblr.com/post/98675308034/a-story-about-jessica
  The COMPANIES with the most influence over the security of your systems usually have the LEAST incentive.
4. Re:You cannot succeed by Gaygirlie · 2015-10-26 03:14 · Score: 4, Insightful
  
  That's bullshit. Routers and other kinds of Internet-connected appliances are an extremely popular way of growing out a botnet, and guess what? They don't run Windows. Wordpress is another extremely popular target, and guess what? You can run Wordpress under a whole bunch of different OSes. There are literally tens of thousands of examples out there where Microsoft doesn't play any part except as perhaps the OS on which the vulnerable software runs on, but the same applies to *BSD, Linux and so on -- on general-purpose computers it doesn't matter what the OS is if the vulnerabilities lie in the software that was installed on top of the OS. On appliances, sure, but you can't blame MS for the shit the appliance-manufacturers pull.
5. Re:You cannot succeed by QuietLagoon · 2015-10-26 03:14 · Score: 1
  
  Don't go after the tools being used, go after those who use the tools.
6. Re:You cannot succeed by Dutch+Gun · 2015-10-26 03:17 · Score: 3, Interesting
  
  I'm not sure I buy that argument, especially when dealing with consumer hardware. As one example, how would a typical consumer possibly know that their router has been compromised? How would they even know it's "unpatched" in the first place? And what happens if you're completely patched up and you still get a bot on your system? While zero-day exploits are less common, they're do happen on a pretty regular basis.
  Nowadays, no consumer device should access or especially be accessed by the internet unless it's set up by default to auto-patch itself. This needs to be the new normal for hardware, because the reality is that security issues WILL be found, and that a typical consumer will NEVER patch things themselves. I used to have to update my Synology NAS box myself, checking when updates were available. After a well-publicized attack on their boxes, Synology wisely decided to allow their boxes to auto-patch themselves. We're starting to see this with some routers, and a lot of our critical software (OS, browsers) are now auto-patching as well. And we damn well need to make sure people making IoT devices get this right the first time.
  At this point, it's not just a matter of protection for the consumer that purchased the hardware. It's protection for the rest of the internet as well. We can't afford to leave old crap connected to the internet in perpetuity. As sad as that is, it's just proven to be too dangerous for the ecosystem as a whole.
  As for commercial-grade stuff... well, that's probably another discussion.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
7. Re:You cannot succeed by khasim · 2015-10-26 03:25 · Score: 3, Interesting
  
  The problem will be when the company selling those routers stops supporting them.
  Built correctly, those things should last for years and years. Longer than the companies want to spend money supporting them. They'd rather you purchased the newest model.
  But the security holes don't fix themselves.
  And even if you lock them down so that they cannot be "managed" from the Internet side, they're still vulnerable. It's just that the attack has to come from inside the network. Maybe via an ad banner or Java or whatever on a PC/laptop connecting through that router.
8. Re:You cannot succeed by Anonymous Coward · 2015-10-26 03:27 · Score: 0
  
  Don't go after end lusers, instead make ISPs liable. If you are running an ISP you should be disconnecting anyone running a botnet on your network, and not allow them to reconnect until they're clean.
  ISPs not cooperating should be blackholed by the rest of the internet.
9. Re:You cannot succeed by Dutch+Gun · 2015-10-26 03:41 · Score: 1
  
  Naturally it's not a perfect solution, but let's please not let perfect be the enemy of good. We all know a patched system is far less likely to be compromised. And let's be honest here... hardware-manufacturing companies don't go out of business all that often, and when they do, they're often acquired by another company for their IP and assets. This should also include their liabilities, which is to provide continued support for sold devices.
  Sure, at some point, a device will be at the end of it's service life. I don't expect a for-profit company to patch its devices forever. We're still a lot safer with the device getting patched for as long as possible.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
10. Re:You cannot succeed by Anonymous Coward · 2015-10-26 03:44 · Score: 0
  
  I suspect that if they just shoot the perps instead or arresting them, others would much less likely to follow in their path.
11. Re:You cannot succeed by gstoddart · 2015-10-26 03:56 · Score: 1
  
  Honestly, then blame the people who make the routers, or what these other pieces. But suing some little old granny for having an insecure OS/router/thermostat makes no sense.
  Start making vendors of this stuff bear some responsibility when it's sold insecure, left wide open, and then exploited. Holding consumers for badly written products is plain silly.
  You can't expect every grandma with a computer to be a security expert.
  Nobody said "blame Microsoft for every security hole in the world". But if you sell a product and that becomes the reasons why these computers are getting exploited, blame the company who made it.
  
  --
  Lost at C:>. Found at C.
12. Re:You cannot succeed by khasim · 2015-10-26 04:02 · Score: 1
  
  This should also include their liabilities, which is to provide continued support for sold devices.
  It should, but it does not.
  Look at how Cisco treated LinkSys before they sold it to Belkin.
  
  We're still a lot safer with the device getting patched for as long as possible.
  No one is arguing otherwise.
  The issue is that the hardware WILL outlast the support. So the situation will not change. Systems that are vulnerable today will still be vulnerable. New systems that auto-update will eventually be unsupported. And those will still be vulnerable to attacks from other (compromised) systems on the internal network.
  There aren't easy answers to this issue.
13. Re:You cannot succeed by wbr1 · 2015-10-26 04:08 · Score: 1
  
  The flip side of that is companies do not want the expense or hassle of dealing with cases where the anut patch breaks functionality. This happens all the time and the more multi or general purpose the device the less likely that the vendor can test against all cases before releasing a critical patch.
  
  --
  Silence is a state of mime.
14. Re:You cannot succeed by Gr8Apes · 2015-10-26 04:10 · Score: 1
  
  That's bullshit.
  
  Absolutely true, regarding your statement.
  The router botnets are primarily due to morons configuring the devices to have default public admin ports open. Who does that on an internet facing device? Why, apparently Asus, Linksys, D-Lionk, Micronet, Tenda, and TP-Link. Note that they tracked only 40,269 IP addresses belonging to 1,600 ISPs over 4 months. As compared to 100,000+ in windows botnets. (While Simda.AT is not a botnet per se, it can become one easily due to what it does, it was just the first windows action that showed up with a number of infected machines. Oh, and it has 128,000 new infections per month.)
  Lastly, let's look at a list of known botnets. All the largest are windows based.
  
  Wordpress is another extremely popular target, and guess what? You can run Wordpress under a whole bunch of different OSes. ... on general-purpose computers it doesn't matter what the OS is if the vulnerabilities lie in the software that was installed on top of the OS.
  
  IMNSHO, Wordpress is a pile of crap. However, Wordpress's primary reason for compromise is to infect large numbers of other computers, most of which are... MS machines.
  
  On appliances, sure, but you can't blame MS for the shit the appliance-manufacturers pull.
  If it is built on an MS OS and the OS is the problem, sure I can.
  
  --
  The cesspool just got a check and balance.
15. Re:You cannot succeed by Anonymous Coward · 2015-10-26 04:14 · Score: 0
  
  Whos's they ? the judicial system? Do you know that Bill Gates is the richest man on earth ( third richest I guess )
16. Re:You cannot succeed by Z00L00K · 2015-10-26 04:21 · Score: 1
  
  And now with the spyware forced upon us from Microsoft how can we trust that a patch fixes a problem or gives us a new?
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
17. Re:You cannot succeed by Anonymous Coward · 2015-10-26 04:27 · Score: 0
  
  How about the NSA writes white-hate bots that prevent this shit ?
  If your box gets pwned and auto-patched - too bad.
  NSA - help us out with your hacking, ffs.
18. Re:You cannot succeed by tnk1 · 2015-10-26 04:51 · Score: 1
  
  By all means, hold MS accountable and then watch what happens to everyone else.
  You will be holding open source and free software creators responsible as well, because the law won't be confined to MS. So yes, by all means, hold MS responsible under law, and watch as MS pays a few billion dollars in fines (maybe), and the FOSS software market undergoes critical existence failure.
  Yes, botnets are a problem, but they aren't the end of the world. Let's not burn the house down to drive out the mice.
19. Re:You cannot succeed by houghi · 2015-10-26 04:56 · Score: 2
  
  As far as I know, the software at launch is safe. Yes, there will be some zero-day hacks and even those who are not patched.
  The real issue is however people clicking on ThisIsNotAVirus.exe.pdf or what not.
  So most is Trojans and not virusses. Microsoft also issues patches.
  Car comparison time:
  A car company makes a car with an error. They find an error and recall the car.
  Microsoft makes software and an error is found. They make updates available.
  If my car is vurlerable for not breaking and thus killing people and I decide not to taker the time to get it repaired, who is at fault?
  And by no means am I a MS fanboy. If they KNOWINGLY leave out security issues AND those are the ones abused (and yes, that also happens) then by all means they should be held responsible. But I am against the nanny state that tells me there is no responsibility on the side of the user by default.
  So it is only part of the problem. I am sure people would click on NotAVisus.sh that then demands their root password just so they can see som celebrity nekid. No need to blame Linus for that.
  
  --
  Don't fight for your country, if your country does not fight for you.
20. Re:You cannot succeed by Opportunist · 2015-10-26 05:26 · Score: 1
  
  There is nothing MS can do to stop people from handing root access to malware for the promise of dancing pigs. The ONLY way to do this is to do the Apple thing: Jail the system and only allow software to run on it that has been approved by the maker of the OS. Is that what you want? MS dictating what you can and what you cannot run on your computer?
  With the ability to run arbitrary software on your machine comes the responsibility to make sure it does not harm anyone. If you can't be assed do that, get a jailed device and let the maker decide what you may do with it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
21. Re:You cannot succeed by Opportunist · 2015-10-26 05:32 · Score: 1
  
  How do you plan to make those ISPs detect whether someone is part of a botnet?
  ISPs already have a pretty decent incentive to not have botsheep on their network, simply due to traffic. Laws in most countries do not allow, though, an inspection of traffic at the level necessary to detect it, or they'll use their common carrier status.
  Careful what you wish for...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
22. Re:You cannot succeed by Kichigai+Mentat · 2015-10-26 06:07 · Score: 1
  
  So if your grandma gets hacked we should sue her and throw her in jail?
  If your grandma swerved across three lanes and caused a traffic accident because she never went in for the manufacturer recall to fix the malfunctioning rear view mirror she'd certainly at least get a talking to. If you knew about the problem with the mirror you'd probably talk with her about how important it is to get it fixed before she causes a problem too.
  
  How about we hold Microsoft accountable for the shitty fucking security in their operating system?
  That's the real problem here.
  No, the problem is that Microsoft issues fixes for their security problems, but people don't want to stop using their computer long enough to install them. That's how we ended up with Windows 8 forcing people to reboot to install updates, and Windows 10 making it more difficult to turn that system off. People bitch and moan about it, and in some cases go out of their way to disable it. A Google search for "Windows 10 Automatic Update" has the first two results as instructions on how to disable it, even Forbes has a write-up on how to disable it.
  
  --
  Rawr
23. Re: You cannot succeed by Anonymous Coward · 2015-10-26 06:25 · Score: 0
  
  You mean "ThisIsNotAVirus.pdf.exe".
  Your whole reply is flawed.
24. Re:You cannot succeed by KGIII · 2015-10-26 13:19 · Score: 1
  
  Maybe they can just use the same OS on all of them and a patch could be universal and work just fine with older releases?
  
  --
  "So long and thanks for all the fish."
25. Re:You cannot succeed by Gr8Apes · 2015-10-27 02:47 · Score: 1
  
  Ah, but there's a fly in your ointment - FOSS doesn't sell you the software, so there's no implied contract and no basis to sue FOSS projects as compared to MS. This could actually help FOSS, because companies that use FOSS in their software would be covered by the law and thus would be encouraged to contribute back, in a world closer to perfect than the current one anyways.
  
  --
  The cesspool just got a check and balance.
26. Re:You cannot succeed by Agripa · 2015-10-28 05:54 · Score: 1
  
  In the same way that online ad vendors have demonstrated why add blocking is desirable, Microsoft (and others including Sony) has managed to demonstrate why automatic patching is not. The manufacturers will start using it as a vehicle for push marketing.
You got the leader of the proxy criminal org. by Anonymous Coward · 2015-10-26 02:47 · Score: 0

Congratulations. What about the rest of the organization? The people reselling these kits on dark net, the guys handling the money, the guy above who sanctions this kind of operation and gets a cut back, the programmers?
With botnets doing to DHT, Tor and god know what else for their C&C, you can be sure they will have a backup to the backup plan to get back control.
Name of the game: Whack-A-Mole by QuietLagoon · 2015-10-26 02:54 · Score: 4, Insightful

So long as law enforcement continues to play the botnet's game of whack-a-mole, the problem will not be solved, or even diminished.
.
Law enforcement needs to follow the money....
1. Re:Name of the game: Whack-A-Mole by swb · 2015-10-26 03:09 · Score: 1
  
  Which makes you wonder why they're not. I would think following the money coupled with aggressive sanctions to providers (ISPs, hosting companies, banks, credit processors, etc) and heavy publicity against them would get them someplace.
  My guess is the intelligence agencies are worried about getting caught up in such an investigation or at least having methods and "back doors" closed down.
2. Re:Name of the game: Whack-A-Mole by Anonymous Coward · 2015-10-26 03:35 · Score: 0
  
  To quote one of my favorite shows:
  https://www.youtube.com/watch?v=Z7M71wmwWRo
3. Re:Name of the game: Whack-A-Mole by Anonymous Coward · 2015-10-26 03:37 · Score: 0
  
  uh... they are all following the money... lots of overtime pay to shut down the botnet each time it pops up. law enforcement in america is 100% corrupt. just like everything else. everywhere.
  buy guns.
4. Re:Name of the game: Whack-A-Mole by Anonymous Coward · 2015-10-26 04:07 · Score: 0
  
  So service providers should be punished for being the "facilitator"? That's a bit short-sighted don't you think. Also, you claim law enforcement is deliberately not doing a proper job just because they do not want software patched in order to maintain their own illegal access to devices. As well, claiming that law enforcement *only* goes after low-hanging fruit concerning cases. You certainly paint with a broad brush and are a tad over paranoid. Glad you are not in public office.
  Suspicion is fine, going overboard with unfounded guesses is not.
5. Re: Name of the game: Whack-A-Mole by Anonymous Coward · 2015-10-26 04:43 · Score: 0
  
  Before I even clicked the link I knew it was from the wire. Best show ever created.
  We need more Lester Freeman's and less Rawls.
6. Re:Name of the game: Whack-A-Mole by houghi · 2015-10-26 05:01 · Score: 1
  
  Hey, they have tried to solve the drug issue. Perhaps they could start a 'war on botnets' because that seems to help.
  Or people need to realize that crimes will be committed as long as people (think) they get money out of it. Realize that crime is a social problem and you will not solve it with a technical solution.
  
  --
  Don't fight for your country, if your country does not fight for you.
7. Re:Name of the game: Whack-A-Mole by Anonymous Coward · 2015-10-26 08:02 · Score: 0
  
  Articles describing/reverse engineering the malware wildlife are pretty interesting, they should be protected
simple by Ryanrule · 2015-10-26 02:57 · Score: 1

find who is running them, and cut their fingers off.
1. Re:simple by JustAnotherOldGuy · 2015-10-26 03:41 · Score: 1
  
  find who is running them, and cut their fingers off.
  And put the fingers in the same box as their head.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
2. Re:simple by antdude · 2015-10-26 14:33 · Score: 1
  
  Nah, death sentences. :P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Something from both sides by Anonymous Coward · 2015-10-26 03:14 · Score: 0

Not necessarily held accountable, but users should take a more active part in the security of their own devices. Laying it completely on the developer of a product would be similar to buying a house then placing blame on both the architect and construction workers for not including greater security into the finished building. Both sides need to tighten up their practices to begin to make any substantial difference in this fight.
Article is misleading by burtosis · 2015-10-26 03:32 · Score: 2

in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'
Except for the sometimes - yes.
The real question by JustAnotherOldGuy · 2015-10-26 03:40 · Score: 0

The real question is whether the Dridex botnet will work with the Internet Of Things?
Because if it can't infect my toaster and refrigerator then it won't get my respect.

--
Just cruising through this digital world at 33 1/3 rpm...
Maybe its Hydra by Anonymous Coward · 2015-10-26 03:47 · Score: 0

If a head is cut off, two more will take its place...
1. Re:Maybe its Hydra by Z00L00K · 2015-10-26 04:23 · Score: 1
  
  Well - add fire to the equation. Even a Hydra has a limit.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Be careful of what you wish for... by NotQuiteReal · 2015-10-26 04:20 · Score: 2

You might well end up with only "certified", "licensed" (and "taxed") software distributions that you must "subscribe" to, and accept all automatic updates.

Running unauthorized software will be illegal.

Problem solved.

--
This issue is a bit more complicated than you think.
1. Re:Be careful of what you wish for... by Gr8Apes · 2015-10-27 02:48 · Score: 1
  
  We already have that problem with MS in many places.
  
  --
  The cesspool just got a check and balance.
Opportunist's post explains WHY I made this by Anonymous Coward · 2015-10-26 04:26 · Score: 0

He posted here & it's about ROOTS of a problem http://it.slashdot.org/comment...
THIS takes care of that, by chopping out the problem AT THE ROOTS blocking botnet's abilities to infect you OR the means for them to "talk back to mama" (C&C they use, MOST use host-domain names since 'fastflux' design on many of them now OUTFOXES ICANN & IANA via quick movement to dirty hosting providers that don't give a shit & are not accountable via penalties for hosting these bogus machinations...)
Simply by automating an otherwise nigh-impossible process, & letting YOU do it (not anyone @ ICANN or the IANA who despite their best efforts & those whom they work with, are not as effective as possible) -> APK Hosts File Engine 9.0++ 32/64-bit http://start64.com/index.php?o...
(You BLOCK the malicious payload sources getting the data from it from GOOD FOLKS in the security community who produce data vs. such threats... & you can supplement the 10 I use with others like them - God bless them (had to add that)).
APK
P.S.=> The world's f'd up. Want a job done RIGHT? Do it yourself as best you can, this tool allows it... apk
Yes, you can (better than ICANN/IANA etc.) by Anonymous Coward · 2015-10-26 04:31 · Score: 0

Not at the hosting provider level, or otherwise so I made this -> http://it.slashdot.org/comment... (firewalls rules do the rest, but IP addresses are BY FAR lesser used since ICANN/IANA & even ISP levels are NOT addressing it - certainly NOT vs. 'fastflux' design botnets that use host-domain names which are BY FAR more used vs. IP addresses in these bogus machinations...).
* I noted your post in it...
APK
P.S.=> Enjoy, it's free & works vs. threats like this + others like it... apk
Is it really worth the effort? by Anonymous Coward · 2015-10-26 05:36 · Score: 0

Sure we could create more laws, crack down on internet security or arrest more people, but is it really worth it? I mean, the companies that care about security have things in place to protect themselves from botnets. If people with insecure stuff don't really care then why should we? This seems like just another boogyman tactic for security companies to market their services.
Botnet vs Botnet by Anonymous Coward · 2015-10-26 06:07 · Score: 0

Fight fire with fire.
Law Enforcement should conscript machines with poor security to fight other botnets. Mano e Mano
Botnet Warz style
Wake up: You've been drinking the pr koolaid by Anonymous Coward · 2015-10-26 08:47 · Score: 0

New Malware Enlists Linux-Based Security Cameras For DDoS Botnet http://slashdot.org/submission...
XOR DDoS botnet launching attacks from compromised Linux machines http://www.net-security.org/se...
New Linux rootkit leverages GPUs for stealth http://www.itworld.com/article...
Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines http://linux.slashdot.org/stor...
New Linux Rootkit Emerges http://linux.slashdot.org/stor...
Linux servers turned into bots by IPTables http://news.techworld.com/secu...
---
* Want more? "Ask & YE SHALL RECEIVE"... & I've got truckloads of these as "evidences thereof".
APK
P.S.=> Top that off w/ what gaygirlie noted - routers using *NIX in them get suckered too... it's possible, on EVERYTHING - Windows & MS have 1 THING GOING FOR THEM - decades of experience in it vs. other OS'...
E.G. - Witness ANDROID (yes, it's a Linux variant using a Linux core & a STUPID java variant front-end largely), & for years around here the "std. FUD mantra" was "Linux = invulnerable" & Apple tried it too (We don't get viruses), well, time tells ANOTHER story:
You get used more? YOU GET TAKEN ADVANTAGE OF MORE (you now represent sufficient "ROI" to make the code to do it once you get more users)... apk
Not to be too obvious but.... by Anonymous Coward · 2015-10-26 10:29 · Score: 0

"the Dridex botnet administrator was arrested on 2015-08-28"
Did they keep him? They don't actually say he was still in jail when it started back up.
That seemed simple enough but wasn't answered that I saw. Nor did they say WHO that was to make a search easy.
The law is not the answer by gweihir · 2015-10-26 10:41 · Score: 1

Until security levels have been improved enough that such attacks become very rare, the law is completely unsuitable as a tool here. The law can catch the odd outlier that thinks rules of society does not apply to him/her, but that is it. The current situation is like everybody leaving their car keys in the ignition all the time and then demanding harsher laws to stop the frequent car thefts. That can obviously not work.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.