Freely subscribe to our NEWSLETTER

"Dridex evolved out of the original botnet known as ZeuS. The takedown of
one of the nodes of the Dridex botnet in 2015 was termed takedown in a
particular way as the botnet has a number of ’bot_id’ nodes associated
with it. There a number of active botnet nodes still in operation, the
US/UK takedown resulted in the ’disruption’ of one of these botnets. This
botnet slowed to a more pedestrian pace for a while, but since November
2015 it has reached new levels in terms of volumes and development. A high
level view is that Dridex is a p2p botnet, which effectively means as a
decentralised entity it is extremely difficult to completely ’takedown’.

"During the past two weeks, we’ve observed the most active development and
experimentation of payload deliveries in terms of execution on the victims
computer once the macro is executed. This could be for any number of
reasons, but more likely to suggest its development is potentially being
handled by a new member of new team who is committing more changes to the
code. The delivery mechanism itself has not changed and it still arrives
on the bank of incredibly large volumes of spam campaigns, which we
observed it equate to roughly 200k in a single day.

"There is nothing in our analysis to suggest that Avira is behind this. It
would not be in the interests of any antivirus vendor to align itself with
a botnet operators infrastructure in anyway. There is an ongoing criminal
investigation in the US with law enforcement agencies in both the UK and
US working to disrupt this threat. There is also nothing to suggest there
is a white hat working to disrupt the operations behind Dridex, but there
was a ’calling card’ left on one of the compromised sites with an email
address and contents relating to the opinions on the site which read
’nothing but crime here’. There is a lot a lot of content to be analysed
in relation to this particular incident and it’s still an ongoing
process."