Dridex Peer-to-Peer (P2P) Malware Security Alert Bulletin

Nov 16, 2015

Dridex Peer-to-Peer (P2P) Malware Security Alert Bulletin

US-CERT Alert (TA15-286A)

Products Affected:

Microsoft Windows

Overview:

Recently, several users have reported receiving e-mails containing ‘invoice’ attachments to their official University e-mail accounts.  The attachment is a sophisticated form of malware known as Dridex, which is a peer-to-peer word-based multifunctional malware package designed to leverage macros in the Microsoft Word program.  The primary goal of Dridex is to infect computers, steal credentials, and harvest sensitive information in order to obtain money from victims’ bank accounts. Operating primarily as a banking Trojan, Dridex is generally distributed through phishing email messages. The emails appear legitimate and are carefully crafted to entice the victim to click on a hyperlink or to open a malicious attached file.

Impact:

A system infected with Dridex may be employed to send spam, participate in distributed denial-of-service (DDoS) attacks, and harvest users' credentials for online services, including banking services.

Solution:

While this form of malware is difficult for e-mail spam filters to detect, fortunately, it is constrained by Kaspersky, the University’s new antivirus solution.  This prevents you from accessing the attachment on your University equipment which is enrolled in our antivirus service.  However, you must exercise caution when using your personal devices.  To minimize risk, keep your antivirus software, applications, and operating system up-to-date.  If you believe you have been compromised, run your antivirus software and use a legitimate anti-malware tool to remove the malware.  Here are some examples:

F-Secure:  https://www.f-secure.com/en/web/home_global/online-scanner 
McAfee:  http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx
Microsoft:  http://www.microsoft.com/security/scanner/en-us/default.aspx
Sophos:  https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
Trend Micro: http://housecall.trendmicro.com/     

You are required to report compromising incidents involving your University account.  Please review the mandatory reporting requirement at http://infosec.missouri.edu/hr/mandatory-reporting.html.  Once you have removed the malware, you must change all your passwords for any sites, applications, or services you access.  To change your University password, use the password manager tools at https://doit.missouri.edu/accounts/password-tools/.     

 

Resources:

http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/    

https://www.fireeye.com/blog/threat-research/2015/06/evolution_of_dridex.html      

https://www.virustotal.com/en/file/9ad8b524f53542a0fc2dc9bf21291a88d289d0c1be0050606069d48704fa5675/analysis/    

http://www.pcworld.com/article/2997070/despite-takedown-the-dridex-botnet-is-running-again.html

http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-down-but-not-out/