Just in time for Halloween, here’s a scary story for you: federal officials launched an investigation into a global cybercrime spree that resulted in the arrests of  botnet admins in Cyprus back in August. The botnet, dubbed the Dridex/Bugat botnet, was part of a global financial takeover that is believed to have infected tens of thousands of networks in 27 countries during its run, resulting in a total of more than $40 million in losses in the US and UK alone.

SONY DSC

“But the nightmare is over, right?” Not exactly.

Like any great edge-of-your-seat horror film, the authorities claim to have nabbed the criminals and contained the threat, probably with more than a few high fives around the office. The IT character, though, is still trying to convince the hotshots that Dridex/Bugat isn’t dead; even with its admins sitting in jail and awaiting extradition to the US, the botnet is still operating and still showing up in tests. Even scarier, it went down in August after the arrests but suddenly started showing up again in October.

According to a post on the issue, “Avira researchers report that the botnet still appears to be partially operational. ‘I tested our Botchecker with a sample from yesterday, and I found a first stage node was still responding and delivering the main Dridex component and a list of second stage nodes,’ reported Moritz Kroll, malware researcher at Avira…’I knew about the arrest in August. The botnet then went down but suddenly in October it came up again. It will be interesting to see if this is really down again or not.’”

Kroll stated to The Register that malicious Word documents are still moving around the internet as spam in order to infect new systems with Dridex. New versions of the botnet were also found on October 16th and 20th.

“We’re also seeing that the malware authors regularly release new versions of Dridex…so as the botnet is answering with new versions of the malware, we’re probably not talking to sinkholed nodes.”

Cue the ominous music and the fog machine. Fortunately, Avira’s researchers are moving ahead with steps to kill the monster… I mean, the botnet.

“Dridex used a lot of cryptors and packers to hide itself,” explained Kroll. “We reverse engineered it and were able to identify the entry points into the botnet. And, by writing a botchecker for Dridex, we have been able to use this botnet as an automatic source of new C&C IPs and malware components.”