Dealing With Dridex – Protecting End-Users From New Strains Of Malware

Last month, criminals used new strains of malware to steal £20 million from UK banking customers, highlighting the dangers of such viruses in a very high-profile way. The use of Dridex malware to infect customer machines, steal login credentials and subsequently steal significant sums from customer accounts shows how these incidents can directly impact end-users. As these types of attack become increasingly common, traditional defences need to be rethought, as concerns amplify over whether they can protect users sufficiently.

Evolving techniques

Of course, best practices should still be adhered to; users should always maintain strong passwords and avoid opening email attachments from unknown sources, but infection techniques are much more sophisticated in the current cybersecurity landscape. Hackers are using techniques such as drive-by infection (auto downloads from websites without the user authorisation) and watering hole attacks (compromising high use websites with malware), meaning that devices can get infected without the user necessarily facilitating the compromise.

As a malware strain, Dridex is fairly well known and, as such, is reasonably easy to detect. Other strains, such as Dyre and Tinba, are significantly more difficult to detect. In addition, with source code for many malware types being released to the hacking community, we are now seeing upsurges in strains that had previously been mitigated. These are modified versions of the original with potentially differing signatures that will defeat traditional signature based solutions.

Mitigating malware

How then have financial organisations sought to deal with these types of risks? Many have invested in sophisticated anti-fraud systems that track transactions and use complex analysis to identify potentially fraudulent activity. This is all well and good, but does not consider defence against compromise of the endpoint device. Many financial organisations have solutions for this too, but in general these require client software to be installed on the end user device. This presents a problem, as customer take-up of these components is usually low. Despite the banks not mandating that these software components must be used, there have been high profile cases where the customers have been penalised for neglecting to use them. This demonstrates that there is often a gap in the protection being provided.

It’s all about the app

How then can organisations best protect the customers against their own devices?  We have established that the end-point device is a challenge, but what about the data centre? Applications are not necessarily the right place to apply security controls, because typically application developers are not security specialists and conversely, security specialists tend not to be application specialists, thus causing a disconnect. However, the real challenge is that attacks from the malware will typically be at application level; these can take the form of automated transactions, piggy-backing sessions and much more, so the protection needs to be capable of detecting these attacks. Ideally then, the protection needs to be applied without needing to update the applications and without updating the client. For this aim to be realised, protection in flow is required, as the traffic traverses from the application to client and vice versa. If this can be achieved and changes to application traffic can be detected, reported and ultimately mitigated then the impact that malware brings to the customer can be reduced. In addition, malware tends to capture credentials from the browser – prior to it being encrypted for transport via Secure Socket Layer (SSL). These credentials are then sent to the hacker’s command and control centre for them to re-use. Therefore, a solution with an ability to encrypt the credentials before the malware can access them stands the best chance of alleviating the problem.

Whilst the threat landscape is relentlessly evolving, the recommendations remain relatively constant: apply as much security as possible. In the case of modern malware attacks, however, making security measures as easy to apply as possible, and not relying solely on the customer, hold the keys to improving the situation.

Paul Dignan is systems engineer at F5 Networks

Are you a security pro? Try our quiz!