Despite Takedown, the Dridex Botnet Is Running Again

itwbennett writes: Brad Duncan, a security researcher with Rackspace, on Friday wrote on the Internet Storm Center blog that 'the Dridex botnet administrator was arrested on 2015-08-28, and Palo Alto Networks reported Dridex was back by 2015-10-01. That represents an outage of approximately one month.' The lesson here, writes Jeremy Kirk in an article on CSOonline is that 'while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'

Re:

[Z00L00K]

You mean call in the department for wet jobs?

You cannot succeed

[Opportunist]

At least not until you take care of the root of the problem: The bots. People who run unpatched, unsecured boxes on fat pipes with no regard for the safety of others. Hell, not even of themselves.

Get people liable for the shit their boxes do and you'll see this problem cease within months.

Re:You cannot succeed

[Anonymous Coward]

So if your grandma gets hacked we should sue her and throw her in jail?

How about we hold Microsoft accountable for the shitty fucking security in their operating system?

That's the real problem here.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

There is nothing MS can do to stop people from handing root access to malware for the promise of dancing pigs [wikipedia.org]. The ONLY way to do this is to do the Apple thing: Jail the system and only allow software to run on it that has been approved by the maker of the OS. Is that what you want? MS dictating what you can and what you cannot run on your computer?

With the ability to run arbitrary software on your machine comes the responsibility to make sure it does not harm anyone. If you can't be assed do that, get a ja

Re:

[Kichigai Mentat]

So if your grandma gets hacked we should sue her and throw her in jail?

If your grandma swerved across three lanes and caused a traffic accident because she never went in for the manufacturer recall to fix the malfunctioning rear view mirror she'd certainly at least get a talking to. If you knew about the problem with the mirror you'd probably talk with her about how important it is to get it fixed before she causes a problem too.

How about we hold Microsoft accountable for the shitty fucking security in the

Re:

[Gr8Apes]

I'd have to agree with the AC here - MS should be held accountable for this issue, otherwise you are really arguing people should be held liable for running MS OSes. After all, MS is the (major) problem. Of course, if it wasn't MS, it'd be something else, but MS has the biggest footprint and also happens to be easiest target to compromise - perfect for botnets.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[gstoddart]

Honestly, then blame the people who make the routers, or what these other pieces. But suing some little old granny for having an insecure OS/router/thermostat makes no sense.

Start making vendors of this stuff bear some responsibility when it's sold insecure, left wide open, and then exploited. Holding consumers for badly written products is plain silly.

You can't expect every grandma with a computer to be a security expert.

Nobody said "blame Microsoft for every security hole in the world". But if you sel

Re:

[Gr8Apes]

That's bullshit.

Absolutely true, regarding your statement.

The router botnets are primarily due to morons configuring the devices to have default public admin ports open. Who does that on an internet facing device? Why, apparently Asus, Linksys, D-Lionk, Micronet, Tenda, and TP-Link [arstechnica.com]. Note that they tracked only 40,269 IP addresses belonging to 1,600 ISPs over 4 months. As compared to 100,000+ in windows botnets [technet.com]. (While Simda.AT is not a botnet per se, it can become one easily due to what it does, it was just the first win

Be careful of what you wish for...

[NotQuiteReal]

You might well end up with only "certified", "licensed" (and "taxed") software distributions that you must "subscribe" to, and accept all automatic updates.

Running unauthorized software will be illegal.

Problem solved.

Re:

[Gr8Apes]

We already have that problem with MS in many places.

Re:

[tnk1]

By all means, hold MS accountable and then watch what happens to everyone else.

You will be holding open source and free software creators responsible as well, because the law won't be confined to MS. So yes, by all means, hold MS responsible under law, and watch as MS pays a few billion dollars in fines (maybe), and the FOSS software market undergoes critical existence failure.

Yes, botnets are a problem, but they aren't the end of the world. Let's not burn the house down to drive out the mice.

Re:

[Gr8Apes]

Ah, but there's a fly in your ointment - FOSS doesn't sell you the software, so there's no implied contract and no basis to sue FOSS projects as compared to MS. This could actually help FOSS, because companies that use FOSS in their software would be covered by the law and thus would be encouraged to contribute back, in a world closer to perfect than the current one anyways.

Re:

[khasim]

A different outlook:
http://swiftonsecurity.tumblr.com/post/98675308034/a-story-about-jessica [tumblr.com]

The COMPANIES with the most influence over the security of your systems usually have the LEAST incentive.

Re:

[QuietLagoon]

Don't go after the tools being used, go after those who use the tools.

Re:You cannot succeed

[Dutch Gun]

I'm not sure I buy that argument, especially when dealing with consumer hardware. As one example, how would a typical consumer possibly know that their router has been compromised? How would they even know it's "unpatched" in the first place? And what happens if you're completely patched up and you still get a bot on your system? While zero-day exploits are less common, they're do happen on a pretty regular basis.

Nowadays, no consumer device should access or especially be accessed by the internet unless it's set up by default to auto-patch itself. This needs to be the new normal for hardware, because the reality is that security issues WILL be found, and that a typical consumer will NEVER patch things themselves. I used to have to update my Synology NAS box myself, checking when updates were available. After a well-publicized attack on their boxes, Synology wisely decided to allow their boxes to auto-patch themselves. We're starting to see this with some routers, and a lot of our critical software (OS, browsers) are now auto-patching as well. And we damn well need to make sure people making IoT devices get this right the first time.

At this point, it's not just a matter of protection for the consumer that purchased the hardware. It's protection for the rest of the internet as well. We can't afford to leave old crap connected to the internet in perpetuity. As sad as that is, it's just proven to be too dangerous for the ecosystem as a whole.

As for commercial-grade stuff... well, that's probably another discussion.

Re:You cannot succeed

[khasim]

The problem will be when the company selling those routers stops supporting them.

Built correctly, those things should last for years and years. Longer than the companies want to spend money supporting them. They'd rather you purchased the newest model.

But the security holes don't fix themselves.

And even if you lock them down so that they cannot be "managed" from the Internet side, they're still vulnerable. It's just that the attack has to come from inside the network. Maybe via an ad banner or Java or whatever on a PC/laptop connecting through that router.

Re:

[Dutch Gun]

Naturally it's not a perfect solution, but let's please not let perfect be the enemy of good. We all know a patched system is far less likely to be compromised. And let's be honest here... hardware-manufacturing companies don't go out of business all that often, and when they do, they're often acquired by another company for their IP and assets. This should also include their liabilities, which is to provide continued support for sold devices.

Sure, at some point, a device will be at the end of it's servi

Re:

[khasim]

This should also include their liabilities, which is to provide continued support for sold devices.

It should, but it does not.

Look at how Cisco treated LinkSys before they sold it to Belkin.

We're still a lot safer with the device getting patched for as long as possible.

No one is arguing otherwise.

The issue is that the hardware WILL outlast the support. So the situation will not change. Systems that are vulnerable today will still be vulnerable. New systems that auto-update will eventually be unsupported. An

Re:

[KGIII]

Maybe they can just use the same OS on all of them and a patch could be universal and work just fine with older releases?

Re:

[wbr1]

The flip side of that is companies do not want the expense or hassle of dealing with cases where the anut patch breaks functionality. This happens all the time and the more multi or general purpose the device the less likely that the vendor can test against all cases before releasing a critical patch.

Re:

[Agripa]

In the same way that online ad vendors have demonstrated why add blocking is desirable, Microsoft (and others including Sony) has managed to demonstrate why automatic patching is not. The manufacturers will start using it as a vehicle for push marketing.

Re:

[Opportunist]

How do you plan to make those ISPs detect whether someone is part of a botnet?

ISPs already have a pretty decent incentive to not have botsheep on their network, simply due to traffic. Laws in most countries do not allow, though, an inspection of traffic at the level necessary to detect it, or they'll use their common carrier status.

Careful what you wish for...

Re:

[Z00L00K]

And now with the spyware forced upon us from Microsoft how can we trust that a patch fixes a problem or gives us a new?

Name of the game: Whack-A-Mole

[QuietLagoon]

So long as law enforcement continues to play the botnet's game of whack-a-mole, the problem will not be solved, or even diminished.

.
Law enforcement needs to follow the money....

Re:

[swb]

Which makes you wonder why they're not. I would think following the money coupled with aggressive sanctions to providers (ISPs, hosting companies, banks, credit processors, etc) and heavy publicity against them would get them someplace.

My guess is the intelligence agencies are worried about getting caught up in such an investigation or at least having methods and "back doors" closed down.

Re:

[account_deleted]

Comment removed based on user account deletion

simple

[Ryanrule]

find who is running them, and cut their fingers off.

Re:

[JustAnotherOldGuy]

find who is running them, and cut their fingers off.

And put the fingers in the same box as their head.

Re:

[antdude]

Nah, death sentences. :P

Article is misleading

[burtosis]

in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'

Except for the sometimes - yes.

The real question

[JustAnotherOldGuy]

The real question is whether the Dridex botnet will work with the Internet Of Things?

Because if it can't infect my toaster and refrigerator then it won't get my respect.

Re:

[Z00L00K]

Well - add fire to the equation. Even a Hydra has a limit.

The law is not the answer

[gweihir]

Until security levels have been improved enough that such attacks become very rare, the law is completely unsuitable as a tool here. The law can catch the odd outlier that thinks rules of society does not apply to him/her, but that is it. The current situation is like everybody leaving their car keys in the ignition all the time and then demanding harsher laws to stop the frequent car thefts. That can obviously not work.