Dridex botnet has hardened the encryption on their settings files, a move designed to complicate information extraction and automatic blacklisting efforts.
“Normally they use an XML text format where you can see the web injects, redirects and targeted bank names, but now it just shows a block of encrypted data,” said Moritz Kroll, botnet specialist at Avira.
A setting file lists the targeted institutions and the attack strategies from the botnet command & control center for the zombie computers in their network.
By encrypting these settings, bot-net operators hope to increase their success rates. “A lot of
people in the security community have tools to get these settings,” explained Kroll. “By tapping this information, some security companies and banks have been able to create focused blacklists and modify pages to reduce their vulnerability to these web injects.”
However, Kroll discovered that the new encryption can be broken without too much hassle. “I dug through the decryption routines and found out a few things,” he said. “It goes through the crypto block up to 20 times, always cutting off a 32-bit xor key from the start, decrypting the rest, and checking an RSA signature, until it succeeds in finding a match.”
Visually, the newly decoded settings just don’t look as nice as before but the needed data is still there. “What you see now is the settings file as a serialized binary data block with same encrypted strings – and you can see that HSBC is still a target,” Kroll added.
The discovery came as a result from Kroll receiving a hint from a friend at a French security firm.
The change to encrypted settings files comes after a roughly two-week period of apparent inactivity from the creators of Dridex. The relative quiet had some people in the security community joking on Twitter that the creators had taken a break to attend the RSA conference in San Francisco – and that it was now time for them to get back to work.
More Dridex news: Here comes the Dridex settings decoder
A decoder/decrypter is now available for the newly encrypted Dridex settings files.
“The script turns the unreadable binary blob into a readable XML file which resembles the original format,” said Moritz Kroll. “This should be helpful for very technical security analysts who are already monitoring Dridex activity, have access to the settings files – and now need to decrypt them.”
Dridex started encrypting its settings files around the release of version 3.188. The code is available at GitHub as dridex_helpers.
The goal is to make the information contained in the Dridex settings files available again to the security community as quickly as possible. The sooner the settings files can be decoded, the faster they can fine-tune their defensive and offensive efforts against Dridex.
This post is also available in: French