Despite Takedown, the Dridex Botnet Is Running Again (sans.edu)

← Back to Stories (view on slashdot.org)

Despite Takedown, the Dridex Botnet Is Running Again (sans.edu)

Posted by timothy on Monday October 26, 2015 @02:24AM from the down-but-sadly-not-out dept.

itwbennett writes: Brad Duncan, a security researcher with Rackspace, on Friday wrote on the Internet Storm Center blog that 'the Dridex botnet administrator was arrested on 2015-08-28, and Palo Alto Networks reported Dridex was back by 2015-10-01. That represents an outage of approximately one month.' The lesson here, writes Jeremy Kirk in an article on CSOonline is that 'while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'

34 of 57 comments (clear)

Min score:

Reason:

Sort:

You cannot succeed by Opportunist · 2015-10-26 02:43 · Score: 3, Interesting

At least not until you take care of the root of the problem: The bots. People who run unpatched, unsecured boxes on fat pipes with no regard for the safety of others. Hell, not even of themselves.
Get people liable for the shit their boxes do and you'll see this problem cease within months.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:You cannot succeed by Anonymous Coward · 2015-10-26 02:49 · Score: 5, Interesting
  
  So if your grandma gets hacked we should sue her and throw her in jail?
  How about we hold Microsoft accountable for the shitty fucking security in their operating system?
  That's the real problem here.
2. Re:You cannot succeed by Gr8Apes · 2015-10-26 03:00 · Score: 1
  
  I'd have to agree with the AC here - MS should be held accountable for this issue, otherwise you are really arguing people should be held liable for running MS OSes. After all, MS is the (major) problem. Of course, if it wasn't MS, it'd be something else, but MS has the biggest footprint and also happens to be easiest target to compromise - perfect for botnets.
  
  --
  The cesspool just got a check and balance.
3. Re:You cannot succeed by khasim · 2015-10-26 03:13 · Score: 2
  
  A different outlook:
  http://swiftonsecurity.tumblr.com/post/98675308034/a-story-about-jessica
  The COMPANIES with the most influence over the security of your systems usually have the LEAST incentive.
4. Re:You cannot succeed by Gaygirlie · 2015-10-26 03:14 · Score: 4, Insightful
  
  That's bullshit. Routers and other kinds of Internet-connected appliances are an extremely popular way of growing out a botnet, and guess what? They don't run Windows. Wordpress is another extremely popular target, and guess what? You can run Wordpress under a whole bunch of different OSes. There are literally tens of thousands of examples out there where Microsoft doesn't play any part except as perhaps the OS on which the vulnerable software runs on, but the same applies to *BSD, Linux and so on -- on general-purpose computers it doesn't matter what the OS is if the vulnerabilities lie in the software that was installed on top of the OS. On appliances, sure, but you can't blame MS for the shit the appliance-manufacturers pull.
5. Re:You cannot succeed by QuietLagoon · 2015-10-26 03:14 · Score: 1
  
  Don't go after the tools being used, go after those who use the tools.
6. Re:You cannot succeed by Dutch+Gun · 2015-10-26 03:17 · Score: 3, Interesting
  
  I'm not sure I buy that argument, especially when dealing with consumer hardware. As one example, how would a typical consumer possibly know that their router has been compromised? How would they even know it's "unpatched" in the first place? And what happens if you're completely patched up and you still get a bot on your system? While zero-day exploits are less common, they're do happen on a pretty regular basis.
  Nowadays, no consumer device should access or especially be accessed by the internet unless it's set up by default to auto-patch itself. This needs to be the new normal for hardware, because the reality is that security issues WILL be found, and that a typical consumer will NEVER patch things themselves. I used to have to update my Synology NAS box myself, checking when updates were available. After a well-publicized attack on their boxes, Synology wisely decided to allow their boxes to auto-patch themselves. We're starting to see this with some routers, and a lot of our critical software (OS, browsers) are now auto-patching as well. And we damn well need to make sure people making IoT devices get this right the first time.
  At this point, it's not just a matter of protection for the consumer that purchased the hardware. It's protection for the rest of the internet as well. We can't afford to leave old crap connected to the internet in perpetuity. As sad as that is, it's just proven to be too dangerous for the ecosystem as a whole.
  As for commercial-grade stuff... well, that's probably another discussion.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
7. Re:You cannot succeed by khasim · 2015-10-26 03:25 · Score: 3, Interesting
  
  The problem will be when the company selling those routers stops supporting them.
  Built correctly, those things should last for years and years. Longer than the companies want to spend money supporting them. They'd rather you purchased the newest model.
  But the security holes don't fix themselves.
  And even if you lock them down so that they cannot be "managed" from the Internet side, they're still vulnerable. It's just that the attack has to come from inside the network. Maybe via an ad banner or Java or whatever on a PC/laptop connecting through that router.
8. Re:You cannot succeed by Dutch+Gun · 2015-10-26 03:41 · Score: 1
  
  Naturally it's not a perfect solution, but let's please not let perfect be the enemy of good. We all know a patched system is far less likely to be compromised. And let's be honest here... hardware-manufacturing companies don't go out of business all that often, and when they do, they're often acquired by another company for their IP and assets. This should also include their liabilities, which is to provide continued support for sold devices.
  Sure, at some point, a device will be at the end of it's service life. I don't expect a for-profit company to patch its devices forever. We're still a lot safer with the device getting patched for as long as possible.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
9. Re:You cannot succeed by gstoddart · 2015-10-26 03:56 · Score: 1
  
  Honestly, then blame the people who make the routers, or what these other pieces. But suing some little old granny for having an insecure OS/router/thermostat makes no sense.
  Start making vendors of this stuff bear some responsibility when it's sold insecure, left wide open, and then exploited. Holding consumers for badly written products is plain silly.
  You can't expect every grandma with a computer to be a security expert.
  Nobody said "blame Microsoft for every security hole in the world". But if you sell a product and that becomes the reasons why these computers are getting exploited, blame the company who made it.
  
  --
  Lost at C:>. Found at C.
10. Re:You cannot succeed by khasim · 2015-10-26 04:02 · Score: 1
  
  This should also include their liabilities, which is to provide continued support for sold devices.
  It should, but it does not.
  Look at how Cisco treated LinkSys before they sold it to Belkin.
  
  We're still a lot safer with the device getting patched for as long as possible.
  No one is arguing otherwise.
  The issue is that the hardware WILL outlast the support. So the situation will not change. Systems that are vulnerable today will still be vulnerable. New systems that auto-update will eventually be unsupported. And those will still be vulnerable to attacks from other (compromised) systems on the internal network.
  There aren't easy answers to this issue.
11. Re:You cannot succeed by wbr1 · 2015-10-26 04:08 · Score: 1
  
  The flip side of that is companies do not want the expense or hassle of dealing with cases where the anut patch breaks functionality. This happens all the time and the more multi or general purpose the device the less likely that the vendor can test against all cases before releasing a critical patch.
  
  --
  Silence is a state of mime.
12. Re:You cannot succeed by Gr8Apes · 2015-10-26 04:10 · Score: 1
  
  That's bullshit.
  
  Absolutely true, regarding your statement.
  The router botnets are primarily due to morons configuring the devices to have default public admin ports open. Who does that on an internet facing device? Why, apparently Asus, Linksys, D-Lionk, Micronet, Tenda, and TP-Link. Note that they tracked only 40,269 IP addresses belonging to 1,600 ISPs over 4 months. As compared to 100,000+ in windows botnets. (While Simda.AT is not a botnet per se, it can become one easily due to what it does, it was just the first windows action that showed up with a number of infected machines. Oh, and it has 128,000 new infections per month.)
  Lastly, let's look at a list of known botnets. All the largest are windows based.
  
  Wordpress is another extremely popular target, and guess what? You can run Wordpress under a whole bunch of different OSes. ... on general-purpose computers it doesn't matter what the OS is if the vulnerabilities lie in the software that was installed on top of the OS.
  
  IMNSHO, Wordpress is a pile of crap. However, Wordpress's primary reason for compromise is to infect large numbers of other computers, most of which are... MS machines.
  
  On appliances, sure, but you can't blame MS for the shit the appliance-manufacturers pull.
  If it is built on an MS OS and the OS is the problem, sure I can.
  
  --
  The cesspool just got a check and balance.
13. Re:You cannot succeed by Z00L00K · 2015-10-26 04:21 · Score: 1
  
  And now with the spyware forced upon us from Microsoft how can we trust that a patch fixes a problem or gives us a new?
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
14. Re:You cannot succeed by tnk1 · 2015-10-26 04:51 · Score: 1
  
  By all means, hold MS accountable and then watch what happens to everyone else.
  You will be holding open source and free software creators responsible as well, because the law won't be confined to MS. So yes, by all means, hold MS responsible under law, and watch as MS pays a few billion dollars in fines (maybe), and the FOSS software market undergoes critical existence failure.
  Yes, botnets are a problem, but they aren't the end of the world. Let's not burn the house down to drive out the mice.
15. Re:You cannot succeed by houghi · 2015-10-26 04:56 · Score: 2
  
  As far as I know, the software at launch is safe. Yes, there will be some zero-day hacks and even those who are not patched.
  The real issue is however people clicking on ThisIsNotAVirus.exe.pdf or what not.
  So most is Trojans and not virusses. Microsoft also issues patches.
  Car comparison time:
  A car company makes a car with an error. They find an error and recall the car.
  Microsoft makes software and an error is found. They make updates available.
  If my car is vurlerable for not breaking and thus killing people and I decide not to taker the time to get it repaired, who is at fault?
  And by no means am I a MS fanboy. If they KNOWINGLY leave out security issues AND those are the ones abused (and yes, that also happens) then by all means they should be held responsible. But I am against the nanny state that tells me there is no responsibility on the side of the user by default.
  So it is only part of the problem. I am sure people would click on NotAVisus.sh that then demands their root password just so they can see som celebrity nekid. No need to blame Linus for that.
  
  --
  Don't fight for your country, if your country does not fight for you.
16. Re:You cannot succeed by Opportunist · 2015-10-26 05:26 · Score: 1
  
  There is nothing MS can do to stop people from handing root access to malware for the promise of dancing pigs. The ONLY way to do this is to do the Apple thing: Jail the system and only allow software to run on it that has been approved by the maker of the OS. Is that what you want? MS dictating what you can and what you cannot run on your computer?
  With the ability to run arbitrary software on your machine comes the responsibility to make sure it does not harm anyone. If you can't be assed do that, get a jailed device and let the maker decide what you may do with it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
17. Re:You cannot succeed by Opportunist · 2015-10-26 05:32 · Score: 1
  
  How do you plan to make those ISPs detect whether someone is part of a botnet?
  ISPs already have a pretty decent incentive to not have botsheep on their network, simply due to traffic. Laws in most countries do not allow, though, an inspection of traffic at the level necessary to detect it, or they'll use their common carrier status.
  Careful what you wish for...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
18. Re:You cannot succeed by Kichigai+Mentat · 2015-10-26 06:07 · Score: 1
  
  So if your grandma gets hacked we should sue her and throw her in jail?
  If your grandma swerved across three lanes and caused a traffic accident because she never went in for the manufacturer recall to fix the malfunctioning rear view mirror she'd certainly at least get a talking to. If you knew about the problem with the mirror you'd probably talk with her about how important it is to get it fixed before she causes a problem too.
  
  How about we hold Microsoft accountable for the shitty fucking security in their operating system?
  That's the real problem here.
  No, the problem is that Microsoft issues fixes for their security problems, but people don't want to stop using their computer long enough to install them. That's how we ended up with Windows 8 forcing people to reboot to install updates, and Windows 10 making it more difficult to turn that system off. People bitch and moan about it, and in some cases go out of their way to disable it. A Google search for "Windows 10 Automatic Update" has the first two results as instructions on how to disable it, even Forbes has a write-up on how to disable it.
  
  --
  Rawr
19. Re:You cannot succeed by KGIII · 2015-10-26 13:19 · Score: 1
  
  Maybe they can just use the same OS on all of them and a patch could be universal and work just fine with older releases?
  
  --
  "So long and thanks for all the fish."
20. Re:You cannot succeed by Gr8Apes · 2015-10-27 02:47 · Score: 1
  
  Ah, but there's a fly in your ointment - FOSS doesn't sell you the software, so there's no implied contract and no basis to sue FOSS projects as compared to MS. This could actually help FOSS, because companies that use FOSS in their software would be covered by the law and thus would be encouraged to contribute back, in a world closer to perfect than the current one anyways.
  
  --
  The cesspool just got a check and balance.
21. Re:You cannot succeed by Agripa · 2015-10-28 05:54 · Score: 1
  
  In the same way that online ad vendors have demonstrated why add blocking is desirable, Microsoft (and others including Sony) has managed to demonstrate why automatic patching is not. The manufacturers will start using it as a vehicle for push marketing.
Name of the game: Whack-A-Mole by QuietLagoon · 2015-10-26 02:54 · Score: 4, Insightful

So long as law enforcement continues to play the botnet's game of whack-a-mole, the problem will not be solved, or even diminished.
.
Law enforcement needs to follow the money....
1. Re:Name of the game: Whack-A-Mole by swb · 2015-10-26 03:09 · Score: 1
  
  Which makes you wonder why they're not. I would think following the money coupled with aggressive sanctions to providers (ISPs, hosting companies, banks, credit processors, etc) and heavy publicity against them would get them someplace.
  My guess is the intelligence agencies are worried about getting caught up in such an investigation or at least having methods and "back doors" closed down.
2. Re:Name of the game: Whack-A-Mole by houghi · 2015-10-26 05:01 · Score: 1
  
  Hey, they have tried to solve the drug issue. Perhaps they could start a 'war on botnets' because that seems to help.
  Or people need to realize that crimes will be committed as long as people (think) they get money out of it. Realize that crime is a social problem and you will not solve it with a technical solution.
  
  --
  Don't fight for your country, if your country does not fight for you.
simple by Ryanrule · 2015-10-26 02:57 · Score: 1

find who is running them, and cut their fingers off.
1. Re:simple by JustAnotherOldGuy · 2015-10-26 03:41 · Score: 1
  
  find who is running them, and cut their fingers off.
  And put the fingers in the same box as their head.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
2. Re:simple by antdude · 2015-10-26 14:33 · Score: 1
  
  Nah, death sentences. :P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Article is misleading by burtosis · 2015-10-26 03:32 · Score: 2

in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'
Except for the sometimes - yes.
Be careful of what you wish for... by NotQuiteReal · 2015-10-26 04:20 · Score: 2

You might well end up with only "certified", "licensed" (and "taxed") software distributions that you must "subscribe" to, and accept all automatic updates.

Running unauthorized software will be illegal.

Problem solved.

--
This issue is a bit more complicated than you think.
1. Re:Be careful of what you wish for... by Gr8Apes · 2015-10-27 02:48 · Score: 1
  
  We already have that problem with MS in many places.
  
  --
  The cesspool just got a check and balance.
Re:they should by Z00L00K · 2015-10-26 04:20 · Score: 1

You mean call in the department for wet jobs?

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:Maybe its Hydra by Z00L00K · 2015-10-26 04:23 · Score: 1

Well - add fire to the equation. Even a Hydra has a limit.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
The law is not the answer by gweihir · 2015-10-26 10:41 · Score: 1

Until security levels have been improved enough that such attacks become very rare, the law is completely unsuitable as a tool here. The law can catch the odd outlier that thinks rules of society does not apply to him/her, but that is it. The current situation is like everybody leaving their car keys in the ignition all the time and then demanding harsher laws to stop the frequent car thefts. That can obviously not work.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.