IBM Researcher Shrinks a Dridex Signature Gap

Our own Rick the Researcher was taking a look at a new sample of long-lived financial malware family Dridex ( V.3.161 ) on Monday, and saw that few traditional desktop products were capable of identifying it.  A researcher from IBM (Limor Kessem, @icyberfighter ) published a similar view here, on January 19th, noting that "the Dridex sample analyzed by IBM X-Force is only properly detected by four antivirus vendors out of 56, according to VirusTotal". 

We all know that there is a delay in the generation and update of signatures, and this was already about two weeks.  Not unheard-of, but interesting that Dridex was not getting more attention.

What surprises me more is that the IBM article came out on January 19th, and today ( January 22nd ) the number of signatures is up to 26 ( as of 10:45 AM EST ), but with most of those arriving on the 20th.  This is still less than half of the AV vendors in the VirusTotal community, but these 20+ new signatures all arrived within 24 hours of the IBM article, when that article and a series of follow-on pieces, started bringing light ( and heat ) to the discussion.   This new signature is an anomaly. There are plenty of other newish Dridex variants that are not mentioned in an article by the IBM XForce, and they continue to be largely undiscoverable as we enter the third week after their arrival on the scene. Just this sample, with the pointers from IBM, is seeing positive activity.

In the unending tide of new samples, it looks like the only reason that this signature got built was because there was a report on the lack of coverage for that sample of malware.  With about a million samples a day going to @VirusTotal for review, that model is probably not workable.

Good companies struggle to keep their AV products up to date, and their users are pretty inconsistent about upgrades.  This is a good example of how hard it is to get focus on any of the thousands of new samples, even when well-known and damaging malware is concerned.  This latency issue is becoming more and more problematic.  There is good coverage among the major AV vendors for the millions of attacks that have been around for a while, but these newer, more active, and more dangerous attacks enjoy an increasingly long period under the radar to do their damage.

On the upside, our researchers find that the core malicious behavior of Dridex has remained consistent.  This makes the entire family as obvious and detectable to our analytics as it was in previous versions.

[ If you are interested in learning more about this new version of the Dridex attack, some of our researchers did a SlackChat on it, and you can take a look here: New Dridex Exposes Security Gaps ]

Feature Image Credit: Elliott Brown