50 Shades of Dridex Botnet Grey
When it comes to our article about the Dridex botnet distributing Avira installers, we may have been wrong. We may have been very, very wrong. But, we may also have been right … So what color of hat is the hacker wearing?
Hat color is much more than a fashion statement in the IT community, it is a reference to behavioral and moral ethics. The hat connection is rooted in the tradition of early Western films where the bad guys wore black hats and the good guys had white ones.
The Dridex article stirred up a hot discussion over our use of the term “white hat” and whether or not we should have described the hackers as “white hats” or placed them in the more nuanced category of “grey hats”.
With this as a starting point, it is a great time to review the 50 shades of distinction between white, black, and grey hats:
White hat (or ethical hacker) – a white hat hacker is usually described as someone doing penetration testing to test an organization’s security – usually with the permission of the management.
Grey hat – A hacker falls into the nether-nether land between altruistic and malicious actions – and their activities are usually done without the direct permission of the organization. As the Electronic Frontier Foundation has warned potential grey or ethical hackers: “There are no easy answers for the ethical hacker who has wandered off the straight and narrow.”
Black hat – A black hat is an individual that illegally hacks for nefarious purposes – even if some of their activities appear positive. As Brian Krebs has documented in Spam Nation, cybergangs will hijack the networks of their rivals – and even turn them in to the police.
So, what color of hat is the Dridex hacker wearing?
In the comments of Justablogreader on the Avira blog, “I’m not at all advocating the intent of Dridex, here, but I’d argue that whoever hacked it and is dropping Avira is violating peoples’ computers and privacy and rights. That’s not a whitehat. Get it right, Avira. At best, it’s grey … At least get hat colours correct — this is very dark grey, not white; maybe even black.”
Deciding on the hat color is also greatly shaped by one’s perspective. Think of Edward Snowden. Would you consider him a white hat – purportedly defending the US Constitution against the interests of the NSA. Would he be a black hat – a clear traitor who has endangered the lives of others and degraded the country’s security? Or is he somewhere in the grey category?
Back to Dridex, at the moment, we do not know why the Avira installer was added to the botnet distribution network or who did it. We also don’t know their intent – white, grey, or black. And, I agree with Justablogreader, I’m curious why they chose Avira as opposed to another vendor. And, I am really, really curious about the hat color. Next time, I just might have to write about a “hacker wearing a hat of unknown color.”