Following the multiple wave of spam sent the previous weeks distributing the banking malware Dridex, LEXSI, thought its CERT team, has developed several tools capable of checking the compromising state of a system as well as cleaning it.

UPDATE 25/10/2015

Version 3 of the detecting and cleaning tool available here

UPDATE 18/06/2015

Lexsi just updated its detection tool in order to include not only the compromising state of a system, but also the local Dridex configuration for the system (cf. https://www.lexsi.com/securityhub/how-dridex-stores-its-configuration-in-registry). The Dridex P2P node IPs can then be extracted and added to your blacklist.

screenshot

You can download the Windows binary here. The archive is password-protected: « DridexDetectorByL3x$1 ».

Detection

You can download this Windows binary here. The archive is password-protected: « DridexDetectorByL3x$1 ».

Automatically identifying Dridex on a computer can be difficult, thus this tool is provided as is and with no guarantee.

Two triggers are used to detect the existence of the malware:

  • The registry key: HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\wwnotify.This key is visible only if the computer has been restarted in Safe Mode
  • A registry key that includes Dridex configuration and that can be read without being in Safe Mode: HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\<randomGUID>\ShellFolder\<random 16 hexadecimal digits>

In order to use this tool, please follow the following steps:

  1. Save the executable locally (on your Desktop for example)
  2. Double-click it to launch it on the computer, with Admin rights whenever possible. Verify if the key, thus the configuration, is indeed found

Dridex Lexsi 1

  1. If yes, then restart the computer in Safe Mode
  2. Following booting up in Safe Mode, relaunch the detection tool a second time. The Dridex key used for maintaining persistence on the machine (/wwnotify) should be detected by now. Delete this registry key. You may also delete the .TMP file associated with this key (the path is mentioned by the tool)

Dridex Lexsi 2

Beware, do NOT delete the rundll32.exe program, as it’s a vital process for Windows!

5. Restart again the computer, it’s now cleaned.

Dridex Lexsi 3

 

If needed, you can use this tool from within a script. In this case, add the « /q » parameter to the tool’s command line and it will run in non-interactive mode (no user prompt asking him to delete the keys, no pause at the end of the process). An error code is returned by this tool:

  • 0: Dridex not detected on the PC
  • 2: Dridex has been detected

Please note that a log file is created in the current folder: « DridexDetector.log ». It contains a summary of the detection, and is overwritten on every run of the tool.

Cleaning

CERT-Lexsi offers you two methods to disinfect computers infected by this campaign.

Note that the persistence mechanism used by Dridex malware is a bit particular. Indeed, this one adds “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wwnotify” registry key only before shutdown.

First method (manual): safe mode

  • execute msconfig, “start” tab, tick “safe start” then “minimal”
  • reboot the computer
  • delete the malicious key : “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wwnotify” as well as the .tmp file pointed by the key
  • execute msconfig, “start” tab, tick “normal boot”
  • reboot the computer

Second method (automatic):

  • disallow current user to write HKCR Run key
  • execute Powershell script here on all affected computers
  • reboot computers
  • [optional] to restore write permissions, launch again the script and replace “Deny” by “Allow”

If you were impacted by this campaign and wanted further information or help, please contact our Incident Response Team for a timely intervention.