Detecting and removing Dridex

“The cleanup [of Dridex] is relatively easy”

– Orla Cox, Director, Security Response, Symantec

It’s not that often you see really advanced malware these days. The bad guys don’t have to fight and defeat security professionals. All they need to be successful is to defeat a regular user. It’s up to security experts to protect their users and it’s not always easy to do. Users’ negligence and lack of basic information security hygiene plays on the side of the bad guys. Because of that modern malware doesn’t have to be really advanced. It should be convincing enough to trick the user to launch the malware deliberately and it gets the job done. Of course there are really complex malware out there in the form of APT, but it’s more of governments competing with each other for power. They don’t care much about regular Joe and Jane and stealing money from them. The cybercriminals do.

One of the most advanced malware examples is Dridex. It is believed that it is an evolution of Cridex, which in its turn is an advancement of Zeus banking trojan. It has a long history, spanning through almost 10 years of development. Here I’ll describe how to detect and how to clean the most modern version of it which I dealt with during April and May 2016. A fair share of information on Dridex comes from anti-virus vendors such as Symantec and their typical advice is to use their anti-virus solution to cleanup computers from this malware. The problem is they don’t always work, so here I’m going to break down the clean up process into basic steps that can be automated using regular Windows bat/cmd shell or PowerShell.

Continue reading

New MIME multipart technique to avoid SEG detection

I hate to write and English isn’t my native language, but still I decided that I’m going to put some effort into this blog. I plan to work as a CISSP course instructor part-time for a while and one of the goals of this blog would be to give my audience some idea on what typical information security work is, what incident response is, some thoughts on security certifications, careers in the industry, etc. If you are reading this you are most likely aware of recent high-profile breaches and of increased demand for security professionals and probably looking to “break into security” yourself, or already there, but still looking for tips on how to make a better version of yourself in this competitive area. So I plan to fill this blog with some information that could be helpful in gauging if you are really up to this.

So the first post in English here would be about how phishing emails bypass some of the most sophisticated security controls of modern Secure Email Gateways (SEGs) and end up in users mailboxes. In general, it’s pretty hard or even nearly impossible to penetrate well configured enterprise-level front-end email security solutions, but still it happens, because of poor security budgeting or vendors dragging behind, lack of proper configuration. Even if everything is in place and properly configured, it sometimes happens because of the bad guys being very creative.


2016 so far has been a year of soaring phishing trends according to multiple observers, this particular graph is coming from Kaspersky Labs. In addition to increased volumes of phishing emails, I see the bad guys using a somewhat new approach to bypassing secure email gateways (SEGs). Their ultimate task is to get phishing emails delivered to users’ mailboxes without getting detected by any of the security controls we set up on our front-end email servers. More often than I would like they manage to do that. Here I want to dissect a certain technique that lets the bad guys pierce through SEGs and deliver malicious attachments to users. Continue reading

Перенаправление принтеров в терминалах (MS Terminal Services & Remote Desktop Services)

Перенаправление принтеров в терминалах (MS Terminal Services & Remote Desktop Services)


Часть первая, теория

Введение, «Что такое печать в терминальных службах»

1. Как включить

2. Групповые политики

3. Схемы «родной драйвер» и «драйвер подстановки»

4. Схема со Screwdrivers

5. Совместимые с терминалами принтеры

6. Печать через VPN

Часть вторая, решение проблем

1. Типы проблем с печатью в терминалах

2. Проблемы со спулером

3. Драйвер перенаправления

4. Реестр

5. Визард устранения проблем от Майкрософт

6. Если больше ничего не помогает, а печатать принтер должен

7. Печать на медленных каналах

8. Полезные ссылки

Что такое печать в терминальных службах

В 90-х Майкрософт разработал специальную роль для Windows NT 4.0 Server под названием Terminal Server. Роль оказалась популярной и востребованной. Функционал у неё довольно простой: используя специальное ПО mstsc.exe («Подключение к удалённому рабочему столу»), входящее в поставку всех современных версий и редакций клиентских ОС Windows (кроме, пожалуй, Windows Phone), можно подключаться по сети к удалённому серверу и видеть рабочий стол удалённого сервера и управлять им при помощи мышки и клавиатуры как своим собственным. Continue reading