Dridex Learns New Trick: P2P over HTTP
After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec’s Ecrime department detected a new Dridex variant which incorporated noticeable changes.
The sample was detected by our Dridex botnet tracking system when it failed to automatically analyze the last binary update pushed by the C&C. We were surprised to find out that its version number was 2.0.17 (131089) a big leap forward, compared with those found on previous samples which we have seen growing steadily from 1.0.135 (65671) to 1.0.158 (65694).
Besides the ciphering of the config (which previously has always been in plain text), the change that immediately caught our attention was the presence of a new tag within the XML exchanged during trojan’s communication with the C&C.
In the following picture we can see the reference to the new tag within sample’s code:
Another important and noticeable change is that this new variant runs a built-in HTTP server which listens at port 80.
As you can see in the following Wireshark screenshot, peers use basic auth to connect with each other:
The bot notifies other peers of its existence by sending the following message:
Over the last three days, all the requests issued to this botnet resulted in an empty response, so we presume that since then it relays fully on P2P for botnet management and update.
We would like to remark that the P2P traffic is done over HTTP. We can only guess why trojan developers decided to do so, but on the basis that it is for sure neither for performance nor for efficiency, we presume that the desired goal is to make it as stealthy as possible and at the same time rise the probability of peers being able to connect with each other by using the default HTTP port.
As long as we can see, updated configuration files target more than 120 entities from more than 20 countries, including many from Southeast Asia, and targeting several sectors besides banking one such as: Online Digital Media, Online Hosting and Online Advertising.
As you can see, trojan developers keep improving their code and adding new features to hinder botnet tracking and shutdown. This time is has been Dridex, although we are noticing changes in other malware families which we hope to disclose in future posts.