Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Message
<blockquote data-quote="Brianwill" data-source="post: 599" data-attributes="member: 15"><p><strong>Dridex</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> banking Trojan</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2011-present</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> unknown</li> <li data-xf-list-type="ul"><strong>Distribution methods:</strong> spam, social engineering, free software</li> </ul><p>The Dridex banking Trojan is one of the major financial cyberthreats since Zeus left office. In 2015, its damage was estimated at more than $ 40 million.</p><p></p><p>Dridex (then Cridex) first appeared around September 2011. The bot already then knew how to use web injections to steal money on the Internet, and could also infect USB drives. Therefore, it was initially classified not as a Trojan, but as a worm. Web injections turned out to be suspiciously similar in style to Zeus - this could have been facilitated by the leak of the source code of the latter in 2011. Later, in 2012, the attackers abandoned the USB infection.</p><p></p><p>The similarity between the Zeus and Dridex web injections is not the only thing that unites them. Specifically, with the Gameover Zeus version, the mechanisms for working with regular expressions, the distribution method (email spam), some aspects of the installer (the main body of the virus and the loader), as well as the set of available components on the infected system were common. Their list includes a SOCKS proxy and a hidden VNC, obviously borrowed from Zeus.</p><p></p><p>By the beginning of 2015, Dridex even had some semblance of a peer-to-peer network, which again resembles Gameover Zeus. This cannot be called honest P2P, because not all network nodes were equal. Instead, there were supernodes whose addresses were specified in the Trojan's configuration file, in the XML section <nodes>. Encryption of the communication Protocol with the command center also appeared.</p><p></p><p>The network grew rapidly and criminals seemed elusive, but on August 28, 2015, one of the Dridex administrators was found and arrested. Some of the bots (they were divided into subnets) disappeared from the network, but after a short time they not only returned, but also brought new ones. It seems that other admins took control of the arrested friend's subnets and continued working without him.</p><p></p><p>After the arrest, security measures were immediately tightened: IP-based filtering by geographical location was introduced. If the country was not included in the list, the bot received an error message. This, of course, did not prevent the Trojan from being studied. A couple of months later, the network owners rolled out an update to the Trojan loader, in which the XML config was replaced with a binary one. In fact, this solution was already used in early versions of the then Cridex, so this move was intended to confuse researchers rather than make the Trojan more convenient.</p><p></p><p>Another interesting version was found in early 2017. In terms of its capabilities, it was similar to the third one, but the analysis of new samples is now greatly complicated by the fact that the loader works for a maximum of a couple of days. Again, the solution is not new: it was about the same with the Lurk Trojan, only the loader worked there for only a few hours. When the boot loader's lifetime ends, the encryption keys are changed and the old samples become useless. All legacy instances receive a 404 error from the server.</p><p></p><p>Encryption remains the same as its ancestor, RC4, with a static key in the Trojan's body. Encryption was needed to protect against detection in traffic, and not to block research, since RC4 is a symmetric algorithm that can be easily broken by brute-force, but traffic analysis systems are powerless in front of such a pseudo-random data stream.</p><p></p><p>Most of the victims are located in Europe. Most of the infections were recorded in the UK, followed by Germany and France. Dridex does not infect Russian computers: command servers do not respond to requests from Russian IP addresses.</p><p></p><p>Over the years of Dridex's existence, whitehats and law enforcement agencies from different countries have repeatedly tried unsuccessfully to stop the botnet's activity. In 2009, the US Department of justice filed charges against two Russians who, according to them, are behind the development of Dridex malware and not only.</p><p></p><p>The indictment says that 32-year-old Maxim Yakubets and 38-year-old Igor Turashev were the developers of the famous banking Trojan Dridex and Yakubets was the leader of the group. In addition, Yakubets is also accused of developing and distributing Zeus.</p><p></p><p>But so far, Dridex is only adding more and more user account control (UAC) bypass techniques that help you stay afloat and continue to infect Windows machines. The damage is difficult to name, but even by the most sparing estimates, it is measured in hundreds of millions of dollars.</p></blockquote><p></p>
[QUOTE="Brianwill, post: 599, member: 15"] [B]Dridex[/B] [LIST] [*][B]Brief description:[/B] banking Trojan [*][B]Years of life:[/B] 2011-present [*][B]Number of infections:[/B] unknown [*][B]Distribution methods:[/B] spam, social engineering, free software [/LIST] The Dridex banking Trojan is one of the major financial cyberthreats since Zeus left office. In 2015, its damage was estimated at more than $ 40 million. Dridex (then Cridex) first appeared around September 2011. The bot already then knew how to use web injections to steal money on the Internet, and could also infect USB drives. Therefore, it was initially classified not as a Trojan, but as a worm. Web injections turned out to be suspiciously similar in style to Zeus - this could have been facilitated by the leak of the source code of the latter in 2011. Later, in 2012, the attackers abandoned the USB infection. The similarity between the Zeus and Dridex web injections is not the only thing that unites them. Specifically, with the Gameover Zeus version, the mechanisms for working with regular expressions, the distribution method (email spam), some aspects of the installer (the main body of the virus and the loader), as well as the set of available components on the infected system were common. Their list includes a SOCKS proxy and a hidden VNC, obviously borrowed from Zeus. By the beginning of 2015, Dridex even had some semblance of a peer-to-peer network, which again resembles Gameover Zeus. This cannot be called honest P2P, because not all network nodes were equal. Instead, there were supernodes whose addresses were specified in the Trojan's configuration file, in the XML section <nodes>. Encryption of the communication Protocol with the command center also appeared. The network grew rapidly and criminals seemed elusive, but on August 28, 2015, one of the Dridex administrators was found and arrested. Some of the bots (they were divided into subnets) disappeared from the network, but after a short time they not only returned, but also brought new ones. It seems that other admins took control of the arrested friend's subnets and continued working without him. After the arrest, security measures were immediately tightened: IP-based filtering by geographical location was introduced. If the country was not included in the list, the bot received an error message. This, of course, did not prevent the Trojan from being studied. A couple of months later, the network owners rolled out an update to the Trojan loader, in which the XML config was replaced with a binary one. In fact, this solution was already used in early versions of the then Cridex, so this move was intended to confuse researchers rather than make the Trojan more convenient. Another interesting version was found in early 2017. In terms of its capabilities, it was similar to the third one, but the analysis of new samples is now greatly complicated by the fact that the loader works for a maximum of a couple of days. Again, the solution is not new: it was about the same with the Lurk Trojan, only the loader worked there for only a few hours. When the boot loader's lifetime ends, the encryption keys are changed and the old samples become useless. All legacy instances receive a 404 error from the server. Encryption remains the same as its ancestor, RC4, with a static key in the Trojan's body. Encryption was needed to protect against detection in traffic, and not to block research, since RC4 is a symmetric algorithm that can be easily broken by brute-force, but traffic analysis systems are powerless in front of such a pseudo-random data stream. Most of the victims are located in Europe. Most of the infections were recorded in the UK, followed by Germany and France. Dridex does not infect Russian computers: command servers do not respond to requests from Russian IP addresses. Over the years of Dridex's existence, whitehats and law enforcement agencies from different countries have repeatedly tried unsuccessfully to stop the botnet's activity. In 2009, the US Department of justice filed charges against two Russians who, according to them, are behind the development of Dridex malware and not only. The indictment says that 32-year-old Maxim Yakubets and 38-year-old Igor Turashev were the developers of the famous banking Trojan Dridex and Yakubets was the leader of the group. In addition, Yakubets is also accused of developing and distributing Zeus. But so far, Dridex is only adding more and more user account control (UAC) bypass techniques that help you stay afloat and continue to infect Windows machines. The damage is difficult to name, but even by the most sparing estimates, it is measured in hundreds of millions of dollars. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Top