What is Dridex, and how can I stay safe?

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.theguardian.com/technology/2015/oct/14/what-is-dridex-how-can-i-stay-safe

The malware’s authors have stolen £20m from UK bank accounts over the past
year, but after arrests, the flow should stop
What is Dridex?

Dridex is the name of a strain of malware designed to eavesdrop on victim’s
computers in order to steal personal information such as usernames and
passwords, with the ultimate aim of breaking into bank accounts and
siphoning off cash.

First spotted by security researchers in November 2014
<http://www.symantec.com/connect/blogs/dridex-and-how-overcome-it>, it has
hit the headlines following an international crackdown on its authors
<http://www.theguardian.com/technology/2015/oct/13/nca-in-safety-warning-after-millions-stolen-from-uk-bank-accounts>,
who allegedly called themselves the “Evil Corp”, led by Britain’s National
Crime Agency and American’s Federal Bureau of Investigation. One arrest has
been made, of Andrey Ghinkul, a 30-year-old Moldovan living in Cyprus, who
allegedly ran the network that allowed Dridex to securely communicate with
its masters.
How does it spread?

The virus is spread through infected emails sent by its developers to
targets. The emails, some of which are similar to the screenshot below from
researchers at Symantec, typically contain an infected Microsoft Office
file, and attempt to trick the user into opening the attachment.
[image: An example of a Dridex vector.]
An example of a Dridex vector. Photograph: Symantec

Unlike some other malware, known as “worms”, Dridex does not spread on its
own. Instead, the victim must be specifically targeted for the initial
infection email by the virus’s authors. However, a report from Fujitsu in
September
<http://www.telegraph.co.uk/technology/internet-security/11860960/Millions-of-UK-emails-on-global-virus-plotters-hitlist.html>
revealed that the authors were using a database of 385 million email
addresses to send out the initial attacks, suggesting that the targets were
widespread.
How does it infect computers?

The infected Microsoft Office file – typically either a Word (.doc) or
Excel (.xls) document – triggers a “macro”, a small embedded program, when
opened. That macro downloads the main payload of the virus, the trojan
program itself, which installs and runs on the users computer.

Unlike some other viruses, Dridex doesn’t use any particular security
vulnerability to infect computers, instead relying on legitimate vectors
through which programs can be installed and run. As a result, the user has
to actively initiate the infection: if the infected attachment isn’t
opened, if macros are turned off, or if the notification from the macro
requesting permission to run is declined, then Dridex cannot infect the
computer. In newer versions of Office, macros are disabled by default, and
only run if the user actively clicks past a security notification.

Similarly, only users of Windows computers are affected: Dridex cannot
install itself on other PC operating systems such as Mac OS X or Chrome OS,
nor can it load on mobile devices.
How is it used to steal money?

Once installed, Dridex has a significant amount of control over the user’s
computer. It can upload, download and run programs, as well as snoop on
internet browsing by directly looking at network traffic and by taking
screenshots of the browser window. The malware also adds the computer to
the wider Dridex “botnet”, which allows its controllers to communicate with
the infected computer through others, protecting them from law enforcement.

Then, it sits on the infected computer, waiting to steal logins to
high-value services. As well as banking details, the main target of the
attack, it also keeps an eye out for other login credentials such as social
media. The National Crime Agency says that “up to” £20m was lost to the
hackers, and the FBI says that a first $10m was lost domestically.
*Who is it targeting?*

The Dridex hackers seemed to particularly focus on small- and medium-sized
organisations, rather than individuals. According to the US indictment,
Ghinkul (and his co-conspirators, who remain un-named) tried to steal
almost $1m from a school district in Pennsylvania, and successfully
transferred over $3.5m from Penneco Oil in over the course of three
separate attacks.

According to Fujistu’s Michael Keegan, “when you look at the data, you
probably can’t name a company that wasn’t [targeted].” Many companies’
email systems would detect the malware before it was even seen by an end
user, but some did not. Keegan added that “The Dridex emails were being
crafted to target finance departments.”
Am I at risk?

Probably not. Not only did “Evil Corp” focus on companies rather than
individuals, but the botnet which controlled much of the Dridex network has
been seized by the US authorities following the arrest of Ghinkul.

The botnet was disrupted by a team from Dell, which received permission to
hack the hackers earlier this year. On 28 August, when Ghinkul was
arrested, the spread of the malware stopped immediately. Dell began its own
operation last week, and managed to “wrestle away the network of infected
computers
<http://money.cnn.com/2015/10/13/technology/dridex-botnet/index.html?sr=twmoney101415dridex-botnet1211AMStoryLink&linkId=17924757>”
from the control of the hackers, preventing them from harvesting any
further data.

However, the software itself still exists, and researchers at Proofpoint
warn that it could be used by other criminal groups with their own botnets,
even if Evil Corp itself is disrupted.
What can I do to stay safe?

The guidance for protecting against a Dridex infection is the same as most
other malware attacks. Windows users should ensure they have an up-to-date
antivirus program running on their computer, which should be able to
intercept the infected attachments before they are seen.

Users should also be careful of opening attachments sent from unrecognised
email addresses, particularly (in this instance) Word and Excel files; and
they should disable macros in Microsoft Office, or at least set them to
request permission before they run.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!