NCCIC / US-CERT   
      
   National Cyber Awareness System:   
      
   TA15-286A: Dridex P2P Malware   
   10/13/2015 07:23 AM EDT   
      
      
   Original release date: October 13, 2015   
      
   Systems Affected   
   Microsoft Windows   
      
   Overview   
      
   Dridex, a peer-to-peer (P2P) bank credential-stealing malware, uses a   
   decentralized network infrastructure of compromised personal computers and web   
   servers to execute command-and-control (C2). The United States Department of   
   Homeland Security (DHS), in collaboration with the Federal Bureau of   
   Investigation (FBI) and the Department of Justice (DOJ), is releasing this   
   Technical Alert to provide further information about the Dridex botnet.   
      
   Description   
   Dridex is a multifunctional malware package that leverages obfuscated macros   
   in Microsoft Office and extensible markup language (XML) files to infect   
   systems. The primary goal of Dridex is to infect computers, steal credentials,   
   and obtain money from victims’ bank accounts. Operating primarily as a banking   
   Trojan, Dridex is generally distributed through phishing email messages. The   
   emails appear legitimate and are carefully crafted to entice the victim to   
   click on a hyperlink or to open a malicious attached file. Once a computer has   
   been infected, Dridex is capable of stealing user credentials through the use   
   of surreptitious keystroke logging and web injects.   
      
   Impact   
      
   A system infected with Dridex may be employed to send spam, participate in   
   distributed denial-of-service (DDoS) attacks, and harvest users' credentials   
   for online services, including banking services.   
      
   Solution   
   Users are recommended to take the following actions to remediate Dridex   
   infections:   
      
   Use and maintain anti-virus software - Anti-virus software recognizes and   
   protects your computer against most known viruses. Even though Dridex is   
   designed to evade detection, security companies are continuously updating   
   their software to counter these advanced threats. Therefore, it is important   
   to keep your anti-virus software up-to-date (see Understanding Anti-Virus   
   Software for more information).   
   Change your passwords - Your original passwords may have been compromised   
   during the infection, so you should change them (see Choosing and Protecting   
   Passwords for more information).   
   Keep your operating system and application software up-to-date - Install   
   software patches so that attackers can't take advantage of known problems or   
   vulnerabilities. Many operating systems offer automatic updates. You should   
   enable automatic updates if this option is available (see Understanding   
   Patches for more information).   
   Use anti-malware tools - Using a legitimate program that identifies and   
   removes malware can help eliminate an infection. Users can consider employing   
   a remediation tool (examples below) to help remove Dridex from your system.   
          F-Secure   
      
          https://www.f-secure.com/en/web/home_global/online-scanner   
      
          McAfee   
      
          http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx   
      
          Microsoft   
      
          http://www.microsoft.com/security/scanner/en-us/default.aspx   
      
          Sophos   
      
          https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx   
      
          Trend Micro   
      
          http://housecall.trendmicro.com/   
      
   The above are examples only and do not constitute an exhaustive list. The U.S.   
   Government does not endorse or support any particular product or vendor.   
      
   References   
   N/A   
   Revision History   
   Initial Publication - October 13, 2015   
      
   ----------------------------------------------------------------   
   -------------- -   
      
   This product is provided subject to this Notification and this Privacy & Use   
   policy.   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or have questions, please send an email to info@us-cert.gov. Do not reply to   
   this message since this email was sent from a notification-only address that   
   is not monitored. To ensure you receive future US-CERT products, please add   
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray   
   Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery   
      
   === Cut ===   
      
      
   --   
   Guardien Fide   :^)   
      
      Ben  aka cMech  Web: http://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC   
    * Origin: FIDONet - The Positronium Repository (1:393/68)