Beginning Friday and continuing through the weekend, OxCERT’s network security monitoring has picked up an extreme number of PCs infected with the ‘Dridex’ family of banking malware.
This malware is a specialised form of computer virus, tailored specifically to Windows-based PCs and designed to quietly harvest user credentials and financial information.
Commonly-employed signature-based anti-virus packages are completely ineffective against this threat tier, Dridex is strongly resistant to antivirus detection once it has become resident on a machine and cannot be reliably removed even if discovered. OxCERT are able to detect some of the encrypted traffic signatures that the malware produces as a result of intensive in-house efforts to develop our monitoring capabilities, but sadly are unable to proactively prevent the infection of a machine.
This particular outbreak has been traced to malicious .XLS (Microsoft Excel) spreadsheet files, distributed to many University departments by email. The emails suggested that a bill was to be paid or an invoice satisfied, a common enough subject for the financial and Human Resources staff that the malware is designed to target.
Upon downloading and opening the attached .XLS file, staff discover that the document appears blank; in fact, the computer is already infected with the Dridex malware.
The current crop of infected .XLS files are ‘droppers’, macro-based mini-scripts hidden inside the .XLS files that then go on to download and install the malware proper.
As a result, if you are running Microsoft Office without macros enabled by default (either as Always Deny or Always Ask when macros attempt to run) you may be somewhat less vulnerable to this current threat.
Dridex is also capable, but not particularly fond of infecting network shares, user roaming profiles and detachable media such as USB keys etc. This is significant, as a user roaming profile could easier wander from one machine to another as the user logs on and off different machines. Cross-infection is by no means automatic or certain in these circumstances, it might for example rely upon the user finding and re-opening infected content from the profile while logged into a second machine, but this behaviour cannot be ruled out.
Dridex is an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.
As far as we know, by default Dridex does not attempt to spread from one machine to another directly; this would draw attention to the infection. Instead the malware lies mostly dormant, monitoring keystrokes and email contents for long periods of time.
It should be noted that Dridex itself is not a macro virus, but the current infection vector we are seeing uses macros. This is important, as we are able to slow down the rate of infection by controlling the use of macros in Microsoft Office applications, but for machines already infected the damage has already been done. Sophos et al can sometimes detect ‘macro viruses’ on-disk, but if you have opened the attachment already then it is too late.
It is not possible to remove Dridex from an infected machine. If a staff member has opened an unfamiliar attachment or OxCERT have issued a warning about a machine, the following steps must be taken;
- Quarantine the affected machine; remove its network connectivity and switch it off
- Inform OxCERT immediately; email@example.com
- Change ALL service passwords used on that machine, this includes personal accounts, social media, SSO logins and internal systems such as financial databases
- Reformat the hard disk of the infected machine; do NOT use System Restore, this is ineffective and simply re-installs the malware
- Re-install the Operating System from scratch using your locally preferred method
- Do not use the re-installed machine until all security patches have been applied
- ALSO: If a roaming profile has been used by any user on an infected machine, that profile must be completely wiped to ensure no lingering infection elements are present.
The mental checklist is as follows;
The only effective means of preventing the ‘dropper’ documents from downloading the main malware code is to change your macro settings in Microsoft Office;
For this Office 2013 example we would recommend ‘Disable All Macros with notification’
This will cause Office to ask you before running a macro; this will give you the time needed to check if a document is actually what you expect it to be, before launching the macros inside which could deliver the virus to your PC. This can make frequently-used macro documents quite inconvenient, but is a strong step forward in ensuring your safety.
To prevent future infections, the most effective tool is user awareness and vigilance. This threat relies on the user opening the document, it cannot infect a user without that crucial step.
All staff should be aware of the current threat status, and to exercise caution in opening attachments from any unfamiliar sources or companies.
Where there is doubt surrounding the authenticity of an email, staff should seek an immediate second opinion from a colleague or supervisor.
We appreciate this is less than ideal for departments receiving many hundreds of attachments per day, but it is our only effective defence against this threat at present. Only by looking out for and helping one another to recognise malicious emails can we prevent more departments and more users falling victim to this new threat.
As ever, OxCERT and the Infosec Team (firstname.lastname@example.org) are available to offer advice, although our response times at present may be slower than usual.
For the more technically-curious, there is a short excerpt from the recent CeBit 2015 conference, in which world-renowned hacker-turned-security-pro Kevin Mitnick demonstrates precisely how this kind of malware is delivered to a user, how a user is enticed to open it, and the subsequent malware installation that quietly seizes control of the victim’s machine.
The PC in the following clip is fully up-to-date with security patches, and is running a common signature-based antivirus product.
This may serve to illustrate just how short the distance is between ‘Clean’ and ‘Infected’; in the clip, Mitnick is able to ‘Uninstall’ his malware because he himself created it and uses a built-in function to do so, but to attempt to remove his code by force (either by running antivirus or deleting files from disk, modifying registry settings etc) would be doomed to failure. The only safe course is scorched earth, reinstall the system from bare metal upwards.
- An excellent in-depth technical analysis of the Dridex malware family
- Symantec report, including links to technical countermeasures
Paul David Hood
OxCERT Security Incident Response Co-Ordinator