Dridex P2P Malware

Number: TR15-005
Date: 13 October 2015

Audience

This report is intended for organizations within federal, provincial/territorial and municipal governments, critical infrastructure, and other related industries that may have computer systems affected by Dridex. Non-technical audiences are invited to visit Public Safety Canada’s GetCyberSafe.ca webpage to learn more about staying safe online.

Purpose

The purpose of this document is to provide guidance on how to recover from computer system infection by the Dridex malware. This document also provides mitigation advice which may help to reduce the risk associated with this threat.

Overview

Dridex, a peer-to-peer (P2P) bank credential-stealing malware identified in 2009, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The Canadian Cyber Incident Response Centre (CCIRC) in collaboration with international partners is releasing this Technical Report to provide further information about the Dridex botnet.

Description

Dridex is a multifunctional malware package that has been used since late 2009.  The primary goal of Dridex malware is to infect computers, steal credentials, and then obtain money from victims’ bank accounts.  Operating primarily as a banking Trojan, Dridex malware is generally distributed through phishing email messages and leverages embedded malicious links or macros in Microsoft Office attachments to infect systems.  The emails appear legitimate and are carefully crafted to entice the victim to click on a hyperlink or to open an attached file. Once a computer has been infected, Dridex is capable of stealing user credentials through the use of surreptitious keystroke logging and web injects.  Dridex, like most modern malware families, is specifically crafted to defeat antivirus and other protective measures.

A system infected with Dridex may be used to send spam, participate in DDoS attacks, and harvest users' credentials for online services, including banking services.

Mitigation

CCIRC recommends the following actions to assist in remediating Dridex infections:
- Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date.
- Change your passwords - Your original passwords may have been compromised during the infection.
- Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates.

The following links to popular tools are for information purposes only and should not be interpreted as an endorsement of any particular tool or technology:

- ESET
http://www.eset.com/us/online-scanner/
- F-Secure
https://www.f-secure.com/en/web/home_global/online-scanner
- McAfee
http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx 
- Microsoft
http://www.microsoft.com/security/scanner/en-us/default.aspx
- Sophos
https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
- Trend Micro
http://housecall.trendmicro.com/ 

Date modified: