Tuesday, May 3, 2016

What is Dridex malware and how to prevent it ?


Dridex is a malware which uses Microsoft Word macros to infect a system and then creates a botnet to steal banking credentials and other sensitive personal information of the victims to gain access to the financial records of the victims.


Dridex first appeared in 2014 and since then it has infected millions of computers. In 2015, financial theft caused by Dridex was around 20 million pounds in UK and around 20 million dollars in US.


Dridex malware and its original version Cridex


The original version of Dridex was known as Cridex and it first appeared in 2012. Cridex would act as a worm and self-replicate to infect other computers in the network using network drives or attached local storage devices. After infection, it would add the infected computer to a botnet and harvest sensitive banking credentials of the victims.


The current version of Dridex first appeared in 2014. Like Cridex, Dridex also adds the infected computer to a botnet and steal sensitive credentials of the victims. But, unlike Cridex, Dridex does not self-replicate. It typically uses spam emails to infect a computer. The victim typically gets a spam email with a Microsoft Word document attachment. On clicking on the attachment, it uses macros to download and install the malware in the victim's computer.


Dridex malware updated itself significantly in November, 2014. It started using Peer-to-Peer communication and decentralized its infrastructure, making it much harder to take down.


How does Dridex malware infect a computer ?






Dridex is spread through spam campaigns. Victims typically get spam emails with some Microsoft Word attachment in it. To make the spam emails look more authentic, the attackers often use real company names in the message body, subject line or sender address. They may even use the same top level domain name as that of the actual company. Most of the cases, these spam emails disguise as some sort of financial statements.

The attached Microsoft Word document contains a malicious macro. When a victim clicks on it and opens the attachment, the macro starts execution. It drops a .vbs file, which in turn download and install Dridex in the victim's computer.


So, to summarize, Dridex typically follows the steps mentioned below to infect a computer :

  • User receives a spam email with some Microsoft Word Attachment disguising mostly as a financial statement.
  • The user clicks on the attachment and it prompts to enable macro.
  • On enabling it, the macro starts execution and a malicious .vbs file is dropped.
  • The .vbs file downloads and installs Dridex malware.



How does Dridex malware steal sensitive data of victims ?



After infection, Dridex injects itself to popular web browsers and uses Man-In-The-Browser Attack to steal sensitive credentials of the victims. It typically follows the steps mentioned below for the purpose :


  • After infecting a computer, the malware installs a malicious extension to the victim's browser. When the user restarts the browser, it gets loaded automatically.
  • The extension registers a handler for every page load, which tracks all the pages loaded by the browser and matches them with a list of known websites.
  • Whenever the user loads a page of a banking website, the extension registers a button event handler.
  • The user authenticates to the banking website giving his credentials. When the user fills up a form for financial transaction, the extension intercepts the communication. It notes down the data entered by the user, but modifies the data and sends the modified data to the banking web application.
  • The web application performs the transaction as per the modified data and sends the receipt.
  • The extension again intercepts the communication. It modifies the data in the receipt with the data entered by the user originally.
  • The user gets the modified receipt filled up with data provided by him.
  • The stolen data is transferred back to the C&C server of the attackers.


Who are the targeted victims of Dridex malware ?


Dridex typically attacks customers of some selected banks and financial institutions. The main purpose of the attackers is to infect computers of those customers with the malware and then to modify or monitor financial transactions to steal sensitive credentials.


How to prevent Dridex malware ?

Dridex malware is one of the most widely known notorious malware which is difficult to detect. But, a user can always follow some simple steps to prevent infection of this malware.


  • The malware typically uses spam emails to infect a computer. Many a times, those spam emails are carelessly composed and contains contradictory information. A careful inspection of the email may prove to be much helpful in preventing infection of the malware.
  • The malware exploits security vulnerabilities of commonly used software to infect a computer. So, always keep your computer updated with recent security patches of all the commonly used software.
  • Update your Operating Systems with recent patches for the same reason.
  • Keep your browser updated with recent patches. It would reduce the security vulnerabilities present in the browser software.
  • Always keep your system updated with recent patches of anti-malware programs from a trusted source.
  • Closely monitor any changes in browser settings is one option of preventing this attack. Browser extensions and scripting should be limited. And, do not use any browser extension if you are not very sure about its authenticity.
  • Users should educate themselves about Dridex malware and its attacks and use their common sense while using sensitive banking web applications.
  • Users should change credentials of the banking application immediately on suspected infection of the malware.



So, beware of various malware programs and how to prevent them, so that you can protect your data in a better way. And, stay safe, stay protected.

1 comment:

  1. Yea probably one of the most dangerous features of MS Office, macros

    If it's not one of your macros or from a trusted source, don't run it.

    ReplyDelete