Trojans

After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec’s Ecrime department detected a new Dridex variant which incorporated noticeable changes.
The sample was detected by our Dridex botnet tracking system when it failed to automatically analyze the last binary update pushed by the C&C. We were surprised to find out that its version number was 2.0.17 (131089) a big leap forward, compared with those found on previous samples which we have seen growing steadily from 1.0.135 (65671) to 1.0.158 (65694).
Besides the ciphering of the config (which previously has always been in plain text), the change that immediately caught our attention was the presence of a new tag within the XML exchanged during trojan’s communication with the C&C.

In the following picture we can see the reference to the new tag within sample’s code:
Another important and noticeable change is that this new variant runs a built-in HTTP server which listens at port 80.

As you can see in the following Wireshark screenshot, peers use basic auth to connect with each other:

The bot notifies other peers of its existence by sending the following message:
Over the last three days, all the requests issued to this botnet resulted in an empty response, so we presume that since then it relays fully on P2P for botnet management and update.
We would like to remark that the P2P traffic is done over HTTP. We can only guess why trojan developers decided to do so, but on the basis that it is for sure neither  for performance nor for efficiency, we presume that the desired goal is to make it as stealthy as possible and at the same time rise the probability of peers being able to connect with each other by using the default HTTP port.
As long as we can see, updated configuration files target more than 120 entities from more than 20 countries,  including many from Southeast Asia, and targeting several sectors besides banking one such as: Online Digital Media, Online Hosting and Online Advertising.
As you can see, trojan developers keep improving their code and adding new features to hinder botnet tracking and shutdown. This time is has been Dridex, although we are noticing changes in other malware families which we hope to disclose in future posts.

S21sec Ecrime

Dridex Learns New Trick: P2P over HTTP

After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec's…

Leer más

New trojans on the horizon? (II)

As an addition to the information related to a new ZeuS variant published once again by Trusteer researchers, we would like to point that this botnet has been active since at least December 2013 and it does not show any…

Leer más

New Trojans on the Horizon? (I)

Last weekend we have seen some heat around a post published by IBM regarding the discovery of a new banking trojan. In the article, they stated that, recently, Trusteer researchers had discovered a new malware sample whose behaviour resembled those…

Leer más

Citadel "involution"

Thanks to our Analysis Platform, which analyzes and classifies thousands of samples every day, we are able to track malware families that may affect our clients. Among them it is, of course, Citadel,  one of the most popular trojans of…

Leer más

Citadel hasn't gone

Last week, our friends from TrendMicro shared with the cyber community a new ZeuS variant that has the ability to spread via USB. This variant appears to be a new version of Citadel, versioned as 3.1.0.0.Among the new features contained within…

Leer más

Testing your ZeuS variant?

The ZeuS source code leak is not recent, and we have seen new variants like Ice-IX or Citadel being widely used, but time to time we find a new trojan based on this source code.Sometimes we see samples that seem…

Leer más

Citadel Updates: Anti-VM and Encryption change

While analyzing the latest version of Citadel (1.3.4.5) we were able to observe two changes that try to make malware analysts' life harder. These changes also had been announced on a particular underground forum before they appeared in the wild.[+]…

Leer más

DUQU: A new threat

General InformationAccording to the report presented by Symantec, this trojan was detected for the first time on the 14th of October and later, on the 7th of September they found samples of the driver uploaded to VirusTotal.According to Symantec, this…

Leer más