Major Dridex Banking Malware Outbreak

Beginning Friday and continuing through the weekend, OxCERT’s network security monitoring has picked up an extreme number of PCs infected with the ‘Dridex’ family of banking malware.

This malware is a specialised form of computer virus, tailored specifically to Windows-based PCs and designed to quietly harvest user credentials and financial information.

Commonly-employed signature-based anti-virus packages are completely ineffective against this threat tier, Dridex is strongly resistant to antivirus detection once it has become resident on a machine and cannot be reliably removed even if discovered. OxCERT are able to detect some of the encrypted traffic signatures that the malware produces as a result of intensive in-house efforts to develop our monitoring capabilities, but sadly are unable to proactively prevent the infection of a machine.

We're going to need a bigger boat

We’re gonna need a bigger boat

Infection

This particular outbreak has been traced to malicious .XLS (Microsoft Excel) spreadsheet files, distributed to many University departments by email. The emails suggested that a bill was to be paid or an invoice satisfied, a common enough subject for the financial and Human Resources staff that the malware is designed to target.

Example Dridex Mail

Example Dridex Mail

Upon downloading and opening the attached .XLS file, staff discover that the document appears blank; in fact, the computer is already infected with the Dridex malware.

The current crop of infected .XLS files are ‘droppers’, macro-based mini-scripts hidden inside the .XLS files that then go on to download and install the malware proper.

As a result, if you are running Microsoft Office without macros enabled by default (either as Always Deny or Always Ask when macros attempt to run) you may be somewhat less vulnerable to this current threat.

Dridex is also capable, but not particularly fond of infecting network shares, user roaming profiles and detachable media such as USB keys etc. This is significant, as a user roaming profile could easier wander from one machine to another as the user logs on and off different machines. Cross-infection is by no means automatic or certain in these circumstances, it might for example rely upon the user finding and re-opening infected content from the profile while logged into a second machine, but this behaviour cannot be ruled out.

Behaviour

Dridex is an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.

As far as we know, by default Dridex does not attempt to spread from one machine to another directly; this would draw attention to the infection. Instead the malware lies mostly dormant, monitoring keystrokes and email contents for long periods of time.

It should be noted that Dridex itself is not a macro virus, but the current infection vector we are seeing uses macros. This is important, as we are able to slow down the rate of infection by controlling the use of macros in Microsoft Office applications, but for machines already infected the damage has already been done. Sophos et al can sometimes detect ‘macro viruses’ on-disk, but if you have opened the attachment already then it is too late.

Removal

It is not possible to remove Dridex from an infected machine. If a staff member has opened an unfamiliar attachment or OxCERT have issued a warning about a machine, the following steps must be taken;

  • Quarantine the affected machine; remove its network connectivity and switch it off
  • Inform OxCERT immediately; oxcert@it.ox.ac.uk
  • Change ALL service passwords used on that machine, this includes personal accounts, social media, SSO logins and internal systems such as financial databases
  • Reformat the hard disk of the infected machine; do NOT use System Restore, this is ineffective and simply re-installs the malware
  • Re-install the Operating System from scratch using your locally preferred method
  • Do not use the re-installed machine until all security patches have been applied
  • ALSO: If a roaming profile has been used by any user on an infected machine, that profile must be completely wiped to ensure no lingering infection elements are present.

The mental checklist is as follows;

'Phishing' would be the fourth 'P' but that ruins it

‘Phishing@it.ox.ac.uk’ would be the fourth ‘P’ but that ruins it

Proactive Steps

The only effective means of preventing the ‘dropper’ documents from downloading the main malware code is to change your macro settings in Microsoft Office;

Office 2013 dialogue example

Office 2013 dialogue example

For this Office 2013 example we would recommend ‘Disable All Macros with notification’

This will cause Office to ask you before running a macro; this will give you the time needed to check if a document is actually what you expect it to be, before launching the macros inside which could deliver the virus to your PC. This can make frequently-used macro documents quite inconvenient, but is a strong step forward in ensuring your safety.

To prevent future  infections, the most effective tool is user awareness and vigilance. This threat relies on the user opening the document, it cannot infect a user without that crucial step.

All staff should be aware of the current threat status, and to exercise caution in opening attachments from any unfamiliar sources or companies.

Where there is doubt surrounding the authenticity of an email, staff should seek an immediate second opinion from a colleague or supervisor.

We appreciate this is less than ideal for departments receiving many hundreds of attachments per day, but it is our only effective defence against this threat at present. Only by looking out for and helping one another to recognise malicious emails can we prevent more departments and more users falling victim to this new threat.

As ever, OxCERT and the Infosec Team (infosec@it.ox.ac.uk) are available to offer advice, although our response times at present may be slower than usual.

 

Errata

For the more technically-curious, there is a short excerpt from the recent CeBit 2015 conference, in which world-renowned hacker-turned-security-pro Kevin Mitnick demonstrates precisely how this kind of malware is delivered to a user, how a user is enticed to open it, and the subsequent malware installation that quietly seizes control of the victim’s machine.

The PC in the following clip is fully up-to-date with security patches, and is running a common signature-based antivirus product.

This may serve to illustrate just how short the distance is between ‘Clean’ and ‘Infected’; in the clip, Mitnick is able to ‘Uninstall’ his malware because he himself created it and uses a built-in function to do so, but to attempt to remove his code by force (either by running antivirus or deleting files from disk, modifying registry settings etc) would be doomed to failure. The only safe course is scorched earth, reinstall the system from bare metal upwards.

 

Further Reading:

 

Paul David Hood

OxCERT Security Incident Response Co-Ordinator

Posted in Current Threats, Email, General Security, Information Security, Microsoft | 2 Comments

2 Responses to “Major Dridex Banking Malware Outbreak”

  1. Michael Tombs says:

    An apology would be nice as to why the university firewall, email filters and anti-virus are so useless. I have received at least half a dozen of the suspicious emails which get delivered to my inbox, not even Junk-Mail folder and deleted them as is standard practice and not at all unusual, but you are totally dependent on the last line of defence since all yours have failed! I have had a Gmail account for as long as they have been available and have not seen any malware there for years! Are other universities suffering in such a bad way? My contacts say not. The “Dridex” malware has been in the news for over a month, Sophos claimed to detect it in January 2015 but TrendMicro apparently reported in in July 2014, Sophos recently tweeted the Dridex botnet taken down:-

    https://twitter.com/sophos_news/status/659080975088005124

    For years the University website had all our email addresses in plain text, easily scrapable, but we also put email details in publicly available conference and journal papers so you must assume all email addresses are out there, there was a step increase in junk mail when OUCS moved to the Microsoft platform, which has never abated!

  2. Robin Stevens says:

    Hi Michael,

    Thank you for engaging with us on this blog. We are indeed sorry that this malware has caused so much inconvenience for University members. You raise a number of salient points and I will try and address them.

    Firstly, the University has various defences in place and these do filter a substantial proportion of spam and actively malicious email traffic. Last year we rejected just short of 10 million such emails but the complexity and autonomy within our University means that a “one size fits all” solution won’t suit all needs. Clearly some spam and malicious mail is still getting through, as demonstrated by these incidents and indeed the general level of junk mail, and there is still considerable scope for improvement.

    IT Services runs a continuous programme of countermeasure development and deployment and some improvements have been deployed today. We will be investigating what more can be done, but systems must maintain an appropriate balance between blocking unwanted content and ensuring that legitimate communications are not unreasonably disrupted.

    Some large scale and general-use email providers such as Google do have more advanced malware detection in place but it is extremely resource-hungry and expensive. In a University environment it is important that the amount of money spent on countermeasures is in proportion to the risk. We receive our monetary resources for research and teaching and must do all we can to maximise the proportion of that going to those core University activities.

    We are in frequent contact with other major universities and look to share information on threats and defensive strategies. We are certainly not the only major UK University to be seeing the Dridex malware on this scale. There are others which are not, and it’s important for us to learn what defensive strategies are proving effective and look at whether they can be applied here. We are doing so.

    Dridex is a malware family that has been around for some time and which we have previously encountered in the University in relatively small numbers. It is constantly evolving and changing in form and, therefore in fingerprint/signature, to stay ahead of malware detection. It is likely in use by multiple criminal groups. High-profile takedowns of networks of infected machines such as that you mention typically only affect one of these groups.

    You mention a last line of defence being a human and you are right, but we think it is important to mount defence against this sort of malware in a multi-tiered manner. IT Services is working hard to make sure as little gets into mailboxes as possible but there is also a crucial line of defence in anti-malware software on local machines in colleges and departments and on personal machines. That layer is the responsibility of the local IT staff or the user and we encourage redoubling of efforts into that. IT Services just yesterday provided advice to local IT staff about hardening existing anti-malware solutions in use in the University.

    Thank you again for taking the time to engage with us. We appreciate your taking the time to do so and to give us the chance to respond.

    OxCERT, IT Services