Dridex the helpful botnet
Posted by Krux
on Thursday February 4, 2016 @ 10:26pm
][ rating +0 ]
And in other computer security news....
Part of the distribution channel of the Dridex banking Trojan botnet may have been hacked, with malicious links replaced by installers for Avira Antivirus.
Avira reckons the pwnage is down the the work of an unknown white hat hacker.
The Dridex botnet has remains a menace even after a high profile takedown operation in late 2015. Malicious code used to seed Dridex typically comes in the form of spam messages with malicious attachments, often a Word document embedded with malicious macros.
Once the file has been opened, the macros download the payload from a hijacked server, and the computer is infected. Dridex creates a key-logger on infected computers as well as using transparent redirects and webinjects to manipulate banking websites.
But the recent hack means part of the botnet has been requisitioned to quite different ends. "The content behind the malware download URL has been replaced, it's now providing an original, up-to-date Avira web installer instead of the usual Dridex loader," explained Moritz Kroll, a malware expert at Avira.
The end result is that instead of the Dridex malware that they would have received, victims get a valid, signed copy of Avira instead.