CRIDEX
Dapato
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Propagates via removable drives
CRIDEX is a banking worm that targets banks from around the world. Earlier versions are able to propagate via removable drives. However, newer versions no longer have this capability to spread by itself. Some of the newer versions are downloaded via blackhole exploit kits.
It monitors login pages and cookies, and steals credentials. CRIDEX may also download and execute other malware. It accesses numerous URLs to download files or update itself.
Some CRIDEX samples employ Domain Generation Algorithm (DGA), making the URLs it accesses change over time.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Compromises system security
Installation
This worm drops the following copies of itself into the affected system:
- %User Profile%\Application Data\KB{random number}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"
Other System Modifications
This worm adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random hex string 1}
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random hex string 2}
HKEY_CURRENT_USER\Software\Microsoft\
Windows Media Center\{random hex string 1}
HKEY_CURRENT_USER\Software\Microsoft\
Windows Media Center\{random hex string 2}
It adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.150.72:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.57.197:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.214.180:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.140.202:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.147.52:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.23.100:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.134.110:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.194.242:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.189.212:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.5.140:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.164.18:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.164.18:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.206.179:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.206.179:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.134.23:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.208.55:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.204.32:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.179.185:8080/za/v_01_a/in/
- http://{BLOCKED}.{BLOCKED}.41.155:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.199.100:8080/mx5/B/in/
- http://{BLOCKED}.{BLOCKED}.49.51:8080/za/v_01_a/in/
- http://{pseudorandom}.ru:8080/rwx/B1_3n9/in