lolloj - Fotolia
The Dridex banking Trojan has made a comeback, according to research, and experts said this was inevitable, despite the arrest made by the U.S. Department of Justice (DOJ) in connection to the malware.
Brad Duncan, security researcher at Rackspace, wrote in an Internet Storm Center blog post that Dridex malware had disappeared during September following arrests made by the DOJ in August, but a new wave of the malicious spam was seen starting Oct. 1. The new instances of Dridex were spotted almost two weeks before the DOJ officially announced the arrest of the Dridex botnet administrator, Andrey Ghinkul -- aka Smilex -- and the disabling of the malware.
Duncan said the botnet and Dridex malware were effectively disabled for about one month, but new reports have seen malicious Office documents carrying the banking Trojan -- and new reports are being seen almost every day.
Dr. Chase Cunningham, head of threat research and development for Dallas-based Armor Defense Inc., said he was surprised the renewal of Dridex wasn't faster, given the resources available to adversaries.
"Without some real work put towards punishment and extradition in cyberspace, the arrests will only get the lower-level guys, who aren't really that critical anyway," Cunningham said. "Just like the mob arrests in the 70s, we are arresting the soldiers, not the godfathers."
Ryan Olson, intelligence director at Palo Alto Networks, based in Santa Clara, Calif., said he expected the arrest in this case to have slowed down efforts to re-establish the Dridex botnet.
"The individual who was arrested definitely appears to have played a key role. Learning that a member of your criminal organization has been arrested and that many of your systems had been seized by law enforcement would force anyone to question the security of their operation, and likely fear their own arrest," Olson said. "They would want to be careful when redeploying command-and-control servers and other infrastructure in a way that wouldn't be accessible to the compromised member of the team or accessible from any of the seized servers."
Olson went on to say that attacks like these will continue unless law enforcement can shut down entire infrastructures, which will be very difficult because that is "akin to taking down real-life organized crime." But Olson said the arrests have still been effective.
"We don't expect arrests in the physical world to end criminal activity, so I wouldn't expect the same in the cyberworld; however, arrests certainly serve as a deterrent," Olson said. "Before the security community and law enforcement began taking up these actions, many criminals felt they were completely invulnerable, but these arrests continue to prove that is not true."
However, Olson stressed that enterprises can help disrupt cybercriminals by establishing better security, including keeping patching up to date and using advanced antimalware protection.
"The key to diminishing criminal activity is making it harder and more expensive for bad actors to accomplish their goals. The better protections we can deploy for users, the harder the criminal's job is," Olson said. "The more arrests law enforcement is able to make, the more risky it is for them to continue their operations. Both of these activities increase the attackers cost of doing business, which lowers their incentive to continue their operations."
Find out how a botnet is taken down.