Dridex today reached full SSL capabilities for the communication to the 'Supernodes', a few samples analysed today showed pure SSL traffic connectivity to peer nodes in the botnet, this was something that I feared was evolving considering the active checking of modern sandbox analysis, today this gives Dridex the ability to hide in SSL traffic & the threat posed by this is three fold
- SSL traffic is a legal, and political minefield, SSL interception even more.
- Companies at risk of spam campaigns are obligated to identify, and mitigate the traffic giving credence to the risk it poses, research can't be done without intercepting SSL traffic.
- Smaller companies who do not possess the financial, legal or technical abilities to intercept SSL traffic will not be able to cope with the already advanced threat.
Dridex campaigns are also spreading further into the EU with CERT FR today posting an alert in relation to the campaigns actively targeting France
Dridex Botnet 220, 125 & 120 are now the number one risk posed to businesses that use email as means of communications, the success rates and high turnover in terms of IP infrastructure associated with Dridex make it clear that it's successful tool for criminals.
Whilst everything is being done to monitor backdoors, these threats are coming in through the front door.