CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA15-286A: Dridex P2P Malware

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Tue, 13 Oct 2015 09:14:52 -0500
NCCIC / US-CERT

National Cyber Awareness System:

TA15-286A: Dridex P2P Malware [ https://www.us-cert.gov/ncas/alerts/TA15-286A ] 10/13/2015 07:23 AM EDT 
Original release date: October 13, 2015

Systems Affected

Microsoft Windows

Overview
  Dridex, a peer-to-peer (P2P) bank credential-stealing malware, uses a decentralized network infrastructure of 
compromised personal computers and web servers to execute command-and-control (C2). The United States Department of 
Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice 
(DOJ), is releasing this Technical Alert to provide further information about the Dridex botnet.   
Description

Dridex is a multifunctional malware package that leverages obfuscated macros in Microsoft Office and extensible markup 
language (XML) files to infect systems. The primary goal of Dridex is to infect computers, steal credentials, and 
obtain money from victims’ bank accounts. Operating primarily as a banking Trojan, Dridex is generally distributed 
through phishing email messages. The emails appear legitimate and are carefully crafted to entice the victim to click 
on a hyperlink or to open a malicious attached file. Once a computer has been infected, Dridex is capable of stealing 
user credentials through the use of surreptitious keystroke logging and web injects.

Impact
  A system infected with Dridex may be employed to send spam, participate in distributed denial-of-service (DDoS) 
attacks, and harvest users' credentials for online services, including banking services.   
Solution

Users are recommended to take the following actions to remediate Dridex infections:


  * "Use and maintain anti-virus software" - Anti-virus software recognizes and protects your computer against most 
known viruses. Even though Dridex is designed to evade detection, security companies are continuously updating their 
software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date (see 
Understanding Anti-Virus Software [ http://www.us-cert.gov/ncas/tips/ST04-005 ] for more information). 
  * "Change your passwords" - Your original passwords may have been compromised during the infection, so you should 
change them (see Choosing and Protecting Passwords [ http://www.us-cert.gov/ncas/tips/ST04-002 ] for more information). 
  * "Keep your operating system and application software up-to-date" - Install software patches so that attackers can't 
take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. You should enable 
automatic updates if this option is available (see Understanding Patches [ http://www.us-cert.gov/ncas/tips/ST04-006 ] 
for more information). 
  * "Use anti-malware tools" - Using a legitimate program that identifies and removes malware can help eliminate an 
infection. Users can consider employing a remediation tool (examples below) to help remove Dridex from your system. 

*       F-Secure*

       https://www.f-secure.com/en/web/home_global/online-scanner

       *McAfee*

       http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx

       *Microsoft*

       http://www.microsoft.com/security/scanner/en-us/default.aspx

       *Sophos*

       https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

       *Trend Micro*

       http://housecall.trendmicro.com/

The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support 
any particular product or vendor.

References

  * N/A 

Revision History

  * Initial Publication - October 13, 2015 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: