Detecting and removing Dridex

“The cleanup [of Dridex] is relatively easy”

– Orla Cox, Director, Security Response, Symantec

It’s not that often you see really advanced malware these days. The bad guys don’t have to fight and defeat security professionals. All they need to be successful is to defeat a regular user. It’s up to security experts to protect their users and it’s not always easy to do. Users’ negligence and lack of basic information security hygiene plays on the side of the bad guys. Because of that modern malware doesn’t have to be really advanced. It should be convincing enough to trick the user to launch the malware deliberately and it gets the job done. Of course there are really complex malware out there in the form of APT, but it’s more of governments competing with each other for power. They don’t care much about regular Joe and Jane and stealing money from them. The cybercriminals do.

One of the most advanced malware examples is Dridex. It is believed that it is an evolution of Cridex, which in its turn is an advancement of Zeus banking trojan. It has a long history, spanning through almost 10 years of development. Here I’ll describe how to detect and how to clean the most modern version of it which I dealt with during April and May 2016. A fair share of information on Dridex comes from anti-virus vendors such as Symantec and their typical advice is to use their anti-virus solution to cleanup computers from this malware. The problem is they don’t always work, so here I’m going to break down the clean up process into basic steps that can be automated using regular Windows bat/cmd shell or PowerShell.

Continue reading