Jason Stitt - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can the Dridex banking Trojan's new features be detected?

The Dridex banking Trojan has adopted new functionality to bypass virtual machines. Expert Nick Lewis discusses the enterprise controls to help detect and defend against the threat.

There have been reports about how the Dridex banking Trojan can be altered to bypass virtual machines. How is this possible, and are there any additional controls that should be put in place that can detect this kind of malware?

Attackers know security researchers use virtual machines to analyze potential malware because of the visibility these environments give them into the actions of the malware, and because they prevent the malware from attacking the production systems.

One of the newest standard checks adopted by malware authors is to see if the compromised host is a virtual environment. If it is indeed a virtual environment, the malware will stop running or change its behavior to prevent analysis. There are several different ways malware determines if the host is a virtual environment, such as checking if certain device drivers or virtual machine management tools are installed. The Dridex banking Trojan in particular uses an Excel macro function to detect if the malware is operating in a virtual environment.

Defending against the Dridex banking Trojan requires the same controls as traditional malware detection, like using antimalware tools, securing the endpoint, or using a network-based antimalware tool.

However, security researchers and incident responders should take virtual environment detection into account when analyzing potential malware. This particular malware used password-protected macros, tried to detect a virtual environment and used obfuscated code -- all things researchers could use to identify Dridex and other potential malware.

Ask the Expert:
Perplexed about enterprise security? Send Nick Lewis your questions today. (All questions are anonymous.)

Next Steps

Learn more about Trojans and other malware used to hijack banking accounts

This was last published in September 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your security team use virtual machines to analyze potential malware like Dridex?
Very timely article in light of the increased use of advanced malware to bypass both virtual machines and traditional hygiene scans. Some of the sophisticated cybersecurity teams are turning to bi-directional deep-content inspection to not only detect the active content used to trigger the malware but also redacting it out files (email attachment or web/cloud downloads).
Now we have to worry more about our VM's..The hackers are getting smarter faster than we can develop ways to stop them.