CRIDEX


 ALIASES:

Dapato

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Propagates via removable drives

CRIDEX is a banking worm that targets banks from around the world. Earlier versions are able to propagate via removable drives. However, newer versions no longer have this capability to spread by itself. Some of the newer versions are downloaded via blackhole exploit kits.

It monitors login pages and cookies, and steals credentials. CRIDEX may also download and execute other malware. It accesses numerous URLs to download files or update itself.

Some CRIDEX samples employ Domain Generation Algorithm (DGA), making the URLs it accesses change over time.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Compromises system security

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\Application Data\KB{random number}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random hex string 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random hex string 2}

HKEY_CURRENT_USER\Software\Microsoft\
Windows Media Center\{random hex string 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows Media Center\{random hex string 2}

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.150.72:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.57.197:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.214.180:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.140.202:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.147.52:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.23.100:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.134.110:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.194.242:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.189.212:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.5.140:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.164.18:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.164.18:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.206.179:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.206.179:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.134.23:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.208.55:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.204.32:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.179.185:8080/za/v_01_a/in/
  • http://{BLOCKED}.{BLOCKED}.41.155:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.199.100:8080/mx5/B/in/
  • http://{BLOCKED}.{BLOCKED}.49.51:8080/za/v_01_a/in/
  • http://{pseudorandom}.ru:8080/rwx/B1_3n9/in