Dridex botnet distributor now serves Avira

A distribution channel of the Dridex botnet may have been hacked. Instead of getting loaded with malware, people are getting clean copies of Avira antivirus and we have two theories as to why. Do you know what a “white hat” is?

spyware
Share on Facebook56Share on Google+17Tweet about this on TwitterShare on LinkedIn97

Part of the distribution channel of the Dridex botnet may have been hacked, with malicious links replaced by installers for Avira Antivirus. As the Dridex operators are unlikely to be distributing an antivirus solution, the person making these changes might be a white hat hacker covering his tracks, say Avira researchers.

The Dridex botnet has roared back to life after its much talked-about takedown by the US authorities in late 2015. Dridex steals keylogs from infected computers and uses transparent redirects and webinjects to manipulate banking websites. Spread by malware-loaded spam, losses in Europe and the US are estimated in the tens of millions of Euro.

Dridex is spread by spam, usually containing a Word document with malicious macros. Once the file has been opened, the macros download the payload from a hijacked server, and the computer is infected.

But in this case, the server files have been modified. “The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” stated Moritz Kroll, malware expert at Avira.

For the end computer user, instead of the Dridex malware that they would have received, they get a valid, signed copy of Avira.

The affair looks like it is straight off the pages of The Art of War where Sun Tzu wrote: “The whole secret lies in confusing the enemy, so that he cannot understand our real intent.”

“We still don’t know exactly who is doing this with our installer and why – but we have some theories,” said Kroll. “This is certainly not something we are doing ourselves.”

There are two basic theories for what is happening:

Theory 1. Cybercriminals are doing this to somehow upset Avira’s and other AV companies’ detection process. Kroll denied this was a possibility: “We don’t think that the malware guys would provide the Avira installer – they wouldn’t want to improve the protection level on their victims’ machines.”
Theory 2. A “white hat” hacker is at work – and wants to do this in private. “There is a possibility that a white hat has hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,” explained Kroll. The hackers – if these are the persons making the changes – have an interest in remaining hidden. “While what they are doing is fundamentally helpful, it is also technically illegal in most countries, so they probably don’t want to be known or identifiable.”

The Avira installer has been added to CryptoLocker and Tesla ransomware in the past. “With CryptoLocker, the malware was in many, but not all cases, expecting CnC communication, so the executable would not be accepted and Avira could not be executed. And at that time, we saw that many of the changes were at one specific provider,” said Kroll. With Tesla, the motive behind including the Avira installer is still not clear.

According to Avira research, a partial list of financial institutions targeted by Dridex includes Barclays, Berliner Bank, BNP Paribas, Commerzbank, Credit Agricole, Deutsche Bank, HSBC, La Banque Postale, Natwest, Raiffeisen, RBS, Santander, Societegenerale, Sparda, Sparkasse, Ulsterbank, and Wells Fargo.

Share on Facebook56Share on Google+17Tweet about this on TwitterShare on LinkedIn97

This article is also available in: French, Italian

About Lyle Frink

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.

6 thoughts on “Dridex botnet distributor now serves Avira

  • social+public@fongwanchau.com'
    Fong-Wan Chau
    February 8, 2016 at 8:53 pm

    Wow! Another victory for white-hat hackers. ?

    I like Avira since its first versions with old GUI, because compared to Norton, Avira has very less memory imprint. That is why I always recommended Avira for all my friends. ?

    PD: Sorry for my english.

  • justablogreader@mailinator.com'
    Blog Reader
    February 8, 2016 at 12:50 pm

    I’m not at all advocating the intent of Dridex, here, but I’d argue that whoever hacked it and is dropping Avira is violating peoples’ computers and privacy and rights. That’s not a whitehat. Get it right, Avira. At best, it’s grey.

    And if it’s some third party person doing it (as opposed to another criminal actor cleaning things up, or the original guys cleaning things up for something else), it wouldn’t be the first time. Several grey hats have gone after (especially irc) botnets for years and hacked various things like exploit kits, botnets, and serving tools.

    This sort of behaviour shouldn’t be applauded. It’s illegal to access other peoples’ computers, period, and doubly illegal to push software that can brick or break the owner’s machines (AVs can act like rootkits — another consideration — if it’s not a wanna-be ‘Robin Hood’, what are the odds that your AV has an exploitable vulnerability?).

    Whatever the case, IMHO, whoever did this was/is committing what amounts to thousands of crimes. There was a big stink over government and working groups doing something like this a few years back – remotely accessing other peoples’ machines and cleaning them up. It’s not right, it’s not ethical, and while obviously the original intent of the botnet isn’t legal (or the botnet itself), doing things like this violates too many central tenets. Whoever is doing this may think they’re being the ‘good guy’ but they’re just violating people, too. Could argue intents, of course, but this Wild West stuff I’ve been seeing so much of lately has to stop being encouraged. At least get hat colours correct — this is very dark grey, not white; maybe even black (and black doesn’t always or even most of the time mean ‘for money’ — people get that wrong all the time too).

    Your wanna-be Robin Hood, by the way, is sure giving you a lot of free publicity and advertising; I find that interesting. I’d be curious why they chose your AV as opposed to another vendor (not that it’s not a decent product; of the free versions of AV, I’d consider it one of few useful ones).

    I don’t mean to be rude. I just find whoever is doing this to be committing criminal acts too. I wouldn’t want them in my system — I don’t care WHAT their intentions are. There are other things people can do if they find bugs in malware that don’t involve privacy-invading felonies (even if they’re pushing AV). That doesn’t necessarily mean law enforcement (in fact, it probably doesn’t). It certainly doesn’t mean open full disclosure of how to exploit a channel (I’m tired of people pushing that as a viable response; it’s the opposite of helpful). This isn’t the 90s. People have decent options for backchannel communication with known quantities to get things really fixed, if that’s the goal.

    No offense to the ‘Robin Hood’ in question — if that’s what you are, or believe you are. But if you’re reading this, I’m curious — did you not get a frisson of excitement, doing what you did? How much of this was ego and desire for excitement cloaked in ‘doing a good deed’?

    • Lyle Frink
      February 9, 2016 at 3:41 pm

      Good comments. You have a response on the difference coming in my next blog post.

    • ftedesco@danesi.com'
      Franck Tedesco
      February 14, 2016 at 2:50 am

      I don’t care what color name you want to throw out. Hell, call it a “rainbow” for all I care. But I think the idiots opening those unsolicited Word documents can only be better off with Avira installed. “What if your AV has a vulnerability?” — Wow, you’re really reaching there.

      I do wonder about the potential PR implications this could have for Avira, though.

  • psoame@163.com'
    psoame
    February 6, 2016 at 4:54 pm

    Good job.

Leave a Reply

Your email address will not be published. Required fields are marked *