Mainly, they are banking Trojans character which constitute a greater threat to users. Among them Dridex, which has made its appearance on the cyber scene in recent months.
Dridex is an evolution of malware Cridex, which in turn is based on the Zeus Trojan, which first appeared in late 2014 through a campaign of spam that generated more than 15,000 emails every day. The volume of fraud has been extremely high, surpassing the 344,721 infected computers more than 195 countries. France and Britain have been the most affected with 50% of the total.
Its behavior is deceptively simple: it is done with the user credentials when attempting to connect to the session and then try to steal bank. According to the FBI, losses can be attributed at least $ 10 million to this virus only attacks in the US, and a Spanish company has now been commissioned to unmask those responsible.
"What we did was to create a specific signature in our analysis platform in order to create rules that allow us to identify the 'malware' that was running. Since that time we realized that the number of samples was increasing," adds Parodi.
How to get the virus to 'hacker'
Most of 'malware' sold for use by anyone for a small fee. Dridex not. In this case, the malicious code was used by the band itself cybercriminals who used to exploit, which for S21 Sec was a plus.
(Picture: Reuters) (Picture: Reuters)
"Not the same investigate a threat in the form of thousands of 'bots' another managed only by a few users. When we noticed this peculiarity by tracking all samples Dridex we had detected, in order to discover from where it is connected. For that generate a map of the entire structure to see which countries were and get an idea of what his exact dimension. "
What they found was a mafia in charge of stealing hundreds of different data servers to thousands of users. Whenever an infected internet user entered your password on the computer I did was send to each of them, and had more than 800.
"At that time we realized that on our own we would not be able to neutralize it" acknowledges David Avila Parodi. Managers were doing Europol, the FBI and the Civil Guard, with the help of this Spanish company, who in a joint operation succeeded recently in Cyprus to stop this cybercriminal gang leader of Moldovan nationality, and has already been charged formally of criminal conspiracy.
Before an email with 'phishing' procedure it is to track the IP. It's like a puzzle. Start and finish at China in Russia
Although they could not give details of the operation, sources of the Civil Guard have explained to 'Teknautas' that "80% of investigations of this kind of telematic crimes are done by tracking IP users. The procedure followed in an email with 'phishing' is to track the IP. If it takes you to a foreign country you have to do is ask the list server country owner of the node from which it was sent. It's like a puzzle. Start in China and Russia finish. Each time you enter and exit a country changing IP, so you have to go soliciting input and output via letters rogatory to the various judicial organs "
Once located the original point of departure of the virus can only hope to repeat. "It can be a house or a cafe. The problem comes when there are countries that do not cooperate. In most African states such telematic crimes are not investigated, something that many cybercriminals are taking advantage," they conclude.
