Best practices for preventing Dridex infections

Mitigating the Dridex threat at multiple levels like file, registry, url and ip address can be achieved at various layers of McAfee security products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.

We build several documentations regarding DRIDEX and variants :

  1. https://kc.mcafee.com/corporate/index?page=content&id=PD25689 – W97M/Downloader
  2. https://kc.mcafee.com/corporate/index?page=content&id=PD25982 – Dridex

Basic rules on handling emails:

Email from unknown senders should be treated with caution. If an email looks strange, do the following: ignore it, delete it, and never open attachments or click on URLs.

Opening file attachments, especially from unknown senders, harbors risks. Attachments should first be scanned with an antivirus program and, if necessary, deleted without being opened.

Never click links in emails without checking the URL. Many email programs permit the actual target of the link to be seen by hovering the mouse over the visible link without actually clicking on it (called the mouse-over function).

Configuring Access Protection in VirusScan Enterprise

 Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise:

How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console

How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

Dridex usually copies itself into the Administrator’s Application Data folder using edge or edg with the random numeric numbers at the end, like the following examples:

On Win XP:

 C:Documents and SettingsAdministratorApplication DataLocal Settingsedge or edg[random.hex].exe

 WIN7:

C:UsersAdministratorAppdatalocaledge or edg[random.hex].exe

Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there are no other legitimate uses.

Select New files being created and add the following file location in File or folder name to block:

  • [OS installed drive]Documents and Settings[administrator]Application DataLocal Settingsedge or edg[random.hex].exe

[random. hex] can be replaced with a ‘*’ thus for example you can either input edge*.tmp or edge123.tmp.

Example Access Protection Rules

Windows 7:

 Premier

 Windows XP:

Second

For the dropped DLL:

WINDOWS XP

Troisieme

Windows 7

222

Configuring Host Intrusion Prevention

  • To blacklist applications using a Host Intrusion Prevention (Host IPS) custom signature refer to KB71329.
  • To create an application blocking rules policies to prevent the binary from running refer to KB71794.
  • To create an application blocking rules policies that prevents a specific executable from hooking any other executable refer to KB71794.
  • To block attacks from a specific IP address through McAfee Nitrosecurity IPS refer to KB74650.

*** Disclaimer: Usage of *.* in access protection rules will prevent all types of files from running and being accessed from that specific location. If specifying a process path under “Processes to Include”, the use of wildcards for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.

Nouvelles technologies:

You need to know that McAfeeThreat Intelligence Exchange in cooperation with à Advanced Threat Defense can give you a very efficient protection level against DRIDEX variants. In addition through these technologies you might used IOC or IOA to find other infections sources or patient zero in your network:

https://www.youtube.com/watch?v=Wxvizasvj8k&feature=player_embedded

With TIE the rule:  Malware Dropped by Infected Microsoft Office Documents gives you a way to proactively scan and detect DRIDEX behaviors :  : https://community.mcafee.com/docs/DOC-6908

In addition McAfee Application Control gives you a full protection against DRIDEX.

Conclusion:

Even if DRIDEX infections technics are not new, this is always tricky to block all variants by only using signatures based approach.

GTI activation and samples submissions are still very efficient in order to increase the global detection level.  However the Best Approach is to build a security Connected platform and connect technologies such as TIE , ATD to work on behaviors and code analysis https://community.mcafee.com/docs/DOC-6462

This approach gives you also the ability to share the intelligence between the different component in your network and by this way to increase your global security posture.

Thanks to my colleagues, Emmanuel Flores, Vinoo Thomas and John Health.

The post Best practices for preventing Dridex infections appeared first on McAfee.