6 February 2016
Some variants of the W2KM_DRIDEX.BM trojan behave really strange if User Account Control (UAC) is set to the highest level ‘Always notify me’. In this case the malware attempts several times to elevate its own privileges. For a detailed description of the malware see post ‘Analysis of an Undetected Dridex Sample‘ in the REAQTA blog.
Although this behavior is really annoying everything went well so far. UAC did exactly what it was designed for: Notify the user that something requests higher privileges. Without approval by the user UAC blocks further execution, thus prevents Dridex from becoming persistent.
What next? In the best case, if the user cannot elevate the program, he calls the help desk. But is the help desk staff ready for this? What’s the proper response to this challenge?
The proper response is to quarantine the computer and disinfect the system. Or tell the user to keep calm, create an incident ticket and send it to the SOC.
The worst possible response would be to approve the request by entering the credentials of a privileged account. In this case Dridex starts over, becomes persistent and the attacker can start his malicious work.
IT security is created by a combination of people, processes and technology. Even if processes and technology complement each other perfectly, people may become the critical factor. In particular, if helpdesk staff turnover is high, awareness training and knowledge management become a major issue.
Have a good weekend.