Thursday, 8 January 2015

word excel macro malware Dridex bot

The current wave of Word/Excel document based malware is usually trying to download the Dridex malware onto your system.

I can't take credit for this but an anonymous poster to pastebin kindly posted the currrent Dridex bot
settings to pastebin.

I've chopped out a lot of the code but here's the current list of banks that the Dridex bot looks
to grab information from:

(|\.)alstats\.com
.*\.2o7\.net
.*\.adnxs\.com
.*\.atdmt\.com
.*\.creativevirtual\.com
.*\.doubleclick\.net
.*\.intenthq\.com
.*\.jwpcdn\.com
.*\.levexis\.com
.*\.maxymiser\.net
.*\.mediaplex\.com
.*\.member-hsbc-group\.com
.*\.mookie1\.com
.*\.na1\.netsuite\.com
.*\.omtrdc\.net
.*\.parastorage\.com
.*\.servicetick\.com
.*\.serving-sys\.com
.*\.sessioncam\.com
.*\.smartsourceportal\.com
.*\.tiqcdn\.com
.*\.tribalfusion\.com
.*\.userreplay\.net
.*\.webtrendslive\.com
^https?://accounts.google.com/ServiceLoginAuth
^https?://aol.com/.*/login/
^https?://login.live.com/
^https?://login.yahoo.com/
advanced\-web\-analytics\.com
assets\.adobedtm\.com
b8k\.nationwide\.co\.uk
cdn\.bankofscotland\.co\.uk
cdn\.retail\.metrobankonline\.co\.uk
cdn\.riyadonline\.com
check\.bankofscotland\.co\.uk
check\.lloydsbank\.co\.uk
check\.tsb\.co\.uk
check2\.bankofscotland\.co\.uk
check2\.lloydsbank\.co\.uk
cs\.directnet\.com/dn/csd/u4F
cws\.bankline\.natwest\.com
cws\.bankline\.rbs\.com
grey\.smile\.co\.uk
http://business.aib.ie/(business|)login
http://www\.co\-operativebank\.co\.uk/business/businessonlinebanking/bobs\-noticeboard
http://www\.co\-operativebank\.co\.uk/corporate/fdo\-noticeboard
http://www\d*\.secure\.hsbcnet\.com/uims/content/public/hibm/logon/logon\.html
http://ya\.ru
https://(corpebankasia|corpebank)\.icbc\.com\.cn/icbc/corporbank/index.*\.jsp(\?|$)
https://(edi|del|hkg|lon|sta)\.my\.rbs\.com
https://(retail|corporate)\.metrobankonline\.co\.uk
https://.*/fi\d+/bb/logon
https://.*\.directnet\.com/dn/c/cls/auth
https://.*business\.lloydsbank\.co\.uk/business
https://access\.rbsm\.com/logon/(password|dp300)/.+\.fcc(\?|$)
https://ambank\.amonline\.com\.my
https://apib\d*\.anz\.com/apinetbank/(Startup|LoginEsInetANZ)\.aspx(\?|$)
https://bank\.barclays\.co\.uk/olb/auth/LoginLink\.action
https://banking\.bankofscotland\.co\.uk/Logon/Logon\.aspx(\?|$)
https://banking\.lloydsbank\.com/Logon/logon\.aspx(\?|$)
https://banking\.mashreqbank\.com/FID/login\.aspx
https://banking\.triodos\.co\.uk/ib\-seam/login\.seam\?loginType=dp550
https://bbank\d+\.ybonline\.co\.uk/ifdu/ifdlm\-web/login\.ctl
https://bbmy\.ocbc\.com
https://biz\.hkbea\-cyberbanking\.com/servlet/MA01Show(\?|$)
https://biz\.uob\.com\.my/ELO/login\.jsp
https://bizibanking\.bangkokbank\.com/bblamsui/Signon.*\.aspx
https://business\.co\-operativebank\.co\.uk/corp/BANKAWAY
https://business\.santander\.co\.uk/LGSBBI\_NS\_ENS/
https://business\d*\.danskebank\.(co\.uk|com)/pub/logon/logon\.aspx
https://cardservicing\.mint\.co\.uk/RBSG\_Consumer/Login\.do
https://cardsonline\-commercial\.com/RBSG\_Commercial/.*Login\.do
https://cashmanagement\.barclays\.net/portalservices/forms/login\.pser
https://cashmanagement\.barclays\.net/portalservices/forms/login\.pser\?TYPE.+cashmanagement
https://cbfm\.saas\.cashfac\.com/cbfm/
https://cbionline\.cbi\.ae/bus/security/companyLogin\.jsp
https://cbs\.ncbchina\.cn/corporbank/login\_basic\_e\.jsp(\?|$)
https://cib\.affinonline\.com/business/login\.html
https://cib\.bochk\.com/login/cib\_login012\_.*\.jsp(\?|$)
https://cib\.bochk\.com/login/fis/cib\_login012\_.*\.jsp(\?|$)
https://cib\.icicibank\.com\.sg/CIBSGAPP/BANKAWAY(\?|$)
https://cib\.uab\.ae/
https://clientlogin\.ibb\.ubs\.com/login(\?|$)
https://comnet\.pbz\.hr/PbzComnetWeb/app/logon\.html
https://connect\.barclays\.com/.*authen
https://corporate\.adcb\.com/corporateWeb/
https://corporate\.cbq\.com\.qa
https://corporate\.santander\.co\.uk/LOGSCU_NS_ENS/
https://direkt\.rba\.hr/cgi\-bin/ppz2/start/rbat\.jsp
https://e\-finance\.postfinance\.ch/(ef/secure|secure/fp)/html/
https://eadibcorp\.adib\.ae/cb/servlet/cb/jsp\-ns/login\.jsp
https://eadibcorp\.adib\.ae/cb/servlet/cb/jsp\-ns/login2\.jsp
https://eb\.bankcomm\.com\.hk/eb/login\.action(\?|$)
https://ebank\.eonbank\.com\.my/cashmgmt/security/commonLogin\.jsp($|\?)
https://ebank\.kasikornbankgroup\.com/kbiznet/login.*\.html
https://ebanking\-ch\d+\.ubs\.com/workbench/Index\.do
https://ebusiness\.hangseng\.com/1/2/
https://elementa\.otpbanka\.hr/gradjani/.*/foweb/nb/eLEMENTa
https://fdonline\.co\-operativebank\.co\.uk/corp/BANKAWAY
https://fiepay\.mashreqbank\.com/Login\.asp
https://home\d*\.cybusinessonline\.co\.uk/lmgru.*/ceblm\-web/
https://home\d+\.cbonline.co\.uk/ralu.*/reglm\-web/login\.ctl
https://home\d+\.ybonline.co\.uk/ralu/reglm\-web/login\.ctl
https://ib\.bankmandiri\.co\.id/retail/Login\.do
https://ib\.bri\.co\.id/ib\-bri/Login\.html
https://ib\d*\.npbs\.co\.uk/IB\.Web/Login\.aspx
https://ibank\.agribank\.com\.vn/ibank/index\.jsp
https://ibank\.bni\.co\.id/corp/AuthenticationController
https://ibank\.bri\.co\.id/cms/
https://ibank\.hncb\.com\.hk/netbank/pages/jsp/HKLogin/html/HKLogin\_en\.jsp(\?|$)
https://ibank\.klikbca\.com
https://ibank\.standardchartered\.com\.hk/nfs/login\.htm(\?|$)
https://ibank\.standardchartered\.com\.sg/nfs/login\.htm(\?|$)
https://ibank\d*\.bib\.barclays\.com/logon/
https://ibank1\.bib\.barclays\.com/logon/bibapplication.+LOGON\.VALIDATE\.SIGNED
https://ibb\.aibgb1\.co\.uk/ibb/controller
https://ibps\.hpb\.hr/HPB\.iBank\.IBPS\.Web/login\.iface
https://ibusinessbanking\.aib\.ie/ibb/controller
https://ideal\.dbs\.com/loginSubscriber/login/(SubscriberLoginServlet|pin\.jsp)
https://internet\-banking\.dbs\.com\.sg/IB/Welcome(\?|$)
https://internet\-banking\.hk\.dbs\.com/IB/Welcome(\?|$)
https://leumionline\.bankleumi\.co\.uk/my\.policy
https://lloydslink\.online\.lloydsbank\.com/Logon/Logon\.jsp
https://login\.smartbusiness\.ae/
https://logon\.reflex\.rhbbank\.com\.my/rhbcams/corporate/login\.jsp
https://mcm\.bankmandiri\.co\.id/corp/common/login\.do\?action=login
https://mcsign\.ba\-ca\.com/smartoffice/\_mcologon\?\.\.OASLogon
https://mib\.bankmandiri\.co\.id/sme/common/login\.do\?action=login
https://nbf\.ae/corporate/BANKAWAY(;|\?|$)
https://nbqonline\.ae/corp/BANKAWAY\?Action\.CorpUser\.Init
https://net\.pbz\.hr/pbz365/logon.*
https://netbanking\.mashreqbank\.com/B001/SMELogin\.jsp
https://netbanking\.mashreqbank\.com/EntlWeb/IbsJsps/orbilogin\.jsp
https://online\-business\.bankofscotland\.co\.uk/business/logon/login\.jsp(\?|$)
https://online\-business\.tsb\.co\.uk/business/logon/login\.jsp
https://online\.adambank\.com/eBankingAdamLogin/login
https://online\.bankofcyprus\.co\.uk/netteller/login\.faces
https://online\.coutts\.com/eBankingCouttsLogin/login
https://online\.dib\.ae/webapplication\.ui/localoperations/login/corporateloginpage\.aspx
https://online\.fgb\.ae/fgbcorporate/CorpLogin\.html?(\?|$)
https://online\.nbad\.com/iportalweb/iportal/jsps/orbilogin\.jsp
https://online\.ybs\.co\.uk/public/authentication/login1\.do
https://onlinebanking\.nationwide\.co\.uk/AccessManagement/Login
https://onlinebusiness\.lloydsbank\.co\.uk/business/logon/login\.jsp
https://private\.bankofsingapore\.com/IPBWBWeb/Login/.+\.aspx(\?|$)
https://professionalson\-line\.bankofscotlandbusiness\.co\.uk/\_mem\_bin/formslogin\.asp
https://rakbankonline\.ae/corp/BANKAWAY(;|\?|$)
https://s2b\.standardchartered\.com/ssoapp/(login\.jsp|core\.security\.login\.event)
https://secure\.cafbank\.org
https://securebank\.cahoot\.com/servlet/com\.aquariussecurity\.bks\.security\.authentication\.servlet\.LoginEntryServletBKS
https://singapore\.lbbw\-business\.com/LBBWCorpWeb/login/.+\.action(\?|$)
https://sme\.standardchartered\.com/commonapp/core\.security\.vascochallenge\.event
https://sslsecure\.maybank\.com\.sg/cgi\-bin/mbs/scripts/mbb\_login\.jsp(\?|$)
https://uniservices\d*\.uobgroup\.com/(ELO/login\.jsp|wpe/ca/login\.do|wpe/ca/loginForm\.jsp)(\;|\?|$)
https://vpn.*\.sjp\.co\.uk/vpn/vpnloginpage\.html
https://vpn\.tarumanagara\.com/\+CSCOE\+/logon\.html
https://ws\d+\.kasikornbank\.com/baliweb/\d+/site/defaultskin/.*/html/static/logon\.htm
https://www\.allianceonline\.net\.my/Corporate/welcome\.htm
https://www\.amesecurities\.com\.my/gc/main\.jsp
https://www\.bankislam\.biz/rib/login/index
https://www\.bankline\.natwest\.com/
https://www\.bankline\.natwest\.com/CWSLogon/
https://www\.bankline\.rbs\.com/
https://www\.bankline\.ulsterbank\.(ie|co\.uk)/
https://www\.bankline\.ulsterbank\.(ie|co\.uk)/CWSLogon/
https://www\.barclayswealth\.com/login/action/logon/unauthenticated/personal/loginDetails
https://www\.bizchannel\.cimb\.com\.sg/corp/common\d*/login\.do(\?|$)
https://www\.boi\-bol\.com/comLogon\.jsp
https://www\.boi\-bol\.com/newHome\.jsp
https://www\.business\.hsbc\.co\.uk/1/2/
https://www\.caterallenonline\.co\.uk/WebAccess\.dll
https://www\.cbdibusiness\.ae/cb/servlet/cb/login\.jsp($|\?)
https://www\.citibank\.com\.my/MYGCB/JPS/portal/Index\.do
https://www\.citibusiness\.citibank\.com\.sg/SGCBZ/JSO/signon/DisplayCinSignon\.do(\?|$)
https://www\.commercial\.hsbc\.com\.hk/1/2/.+
https://www\.credit\-suisse\.com\.sg/amserver/UI/Login(\?|$)
https://www\.danamonline\.com/onlinebanking/Login/lgn_new\.aspx
https://www\.ebanking\.cimbthai\.com/cash/logon\.jsp
https://www\.fbo\.fubonbank\.com\.hk/fboPortal/index\_e\.jsp(\?|$)
https://www\.fundsdirect\.co\.uk/bks/login\.aspx\?bksid=beaumont
https://www\.hongleongonline\.com\.my/business/public/main\.html
https://www\.hsbc\.co\.uk/1/2/
https://www\.hsbc\.com\.cn/1/2/.+
https://www\.hsbc\.com\.sg/1/2/.+
https://www\.hsbc\.com\.vn/1/2/
https://www\.hvbrsce\.com/ebanking/London/EXE/WBankDsp\.exe
https://www\.integrator\.barclays\.com/idc/html/LoginStep1\.html
https://www\.iombankibanking\.com/eai/IPB_EAI_Web/
https://www\.irakyat\.com\.my/retail/security/commonLogin\.jsp
https://www\.kbc\.be/
https://www\.maybank2e\.net/M2E/mbbcustomer/
https://www\.maybank2u\.com\.my/mbb/m2u/common/mbbLoginCheckAdapt\.do
https://www\.maybank2u\.com\.my/mbb/m2uNOW/common/mbbLoginCheckAdapt\.do
https://www\.mybsn\.com\.my/mybsn/login/login\.do
https://www\.mybusinessbank\.co\.uk/cs70\_banking/logon/slogon
https://www\.nwolb\.com/(login|default)\.aspx
https://www\.onlinebanking\.iombank\.com/(login|default)\.aspx
https://www\.onlinesbiglobal\.com/\S+/BANKAWAY($|\?|\;)
https://www\.otpbanka\.hr/english/welcome\.htm
https://www\.otpbanka\.hr/html/dobrodosli\.htm
https://www\.permatae\-business\.com/corp/common/login\.do\?action=login
https://www\.rbsdigital\.com/(login|default)\.aspx
https://www\.sbnet\.splitskabanka\.hr/priv/.*/dciweb\.htm
https://www\.tescobank\.com/sss/auth
https://www\.ucoebanking\.com/BankAwayRetail/.*/web/L001/retail/jsp/user/CorporateSignOn\.aspx(\?|$)
https://www\.ulsterbankanytimebanking\.co\.uk/(login|default)\.aspx
https://www\.unb\.com/uninet/main\_login\.asp
https://www\.unity\-online\.co\.uk
https://www\.vietcombank\.com\.vn/ibanking/Default\.aspx
https://www\.vietinbank\.vn/ipay/vbh/login\.do
https://www\.winglungbank\.com/corpbanking/logon/CbHomLogonInp\.jsp(\?|$)
https://www\.zaba\.hr/ebank/gradjani/InnerLogin\.jsp
https://www\d*\.secure\.hsbcnet\.com/uims/content/public/hibm/logon/usernameInput.+
https://www\d*\.secure\.hsbcnet\.com/uims/portal/IDV\_CAM10\_AUTHENTICATION(;|$)
https://www\d*\.secure\.hsbcnet\.com/uims/portal/IDV\_OTP\_CHALLENGE(;|$)
https://www\d+\.firstdirect\.com/1/2/
https?://www.rbs\.co\.uk/corporate/electronic\-services/g1/bankline\.ashx
https?://www\.business\.natwest\.com/afb/public/nwb/AFBRoot/mainhome/2morover/accounts
https?://www\.cybusinessonline\.co\.uk/essential\-maintenance/fraud\-message
https?://www\.lloydsbankcommercial\.com/servicemessage
https\://.*/tdsecure/intro\.jsp.*]]
https\://.*bankofscotland\.co\.uk/personal.*]]
https\://.*halifax-online\.co\.uk/personal.*]]
https\://.*lloydsbank\.co\.uk/personal.*]]
https\://.*personal\.co-operativebank\.co\.uk.*]]
https\://.*tsb\.co\.uk/personal.*]]
https\://3ds\.cardcenter\.ch/acspage/cap\?RID\=.*]]
https\://3ds\.jccsecure\.com/acspage/cap\?RID\=.*]]
https\://3dsecure\.acb\.com\.vn/ACB/jsp/.*]]
https\://3dsecure\.icscards\.nl/acspage/cap\?RID\=.*]]
https\://3dsecure\.ing\.ro/acs/auth/.*]]
https\://3dsecure\.paylife\.at/acspage/cap\?RID\=.*]]
https\://acs-ch\.cal-online\.co\.il/acspage/cap\?RID\=.*]]
https\://acs\.icicibank\.com/acspage/cap\?RID\=.*]]
https\://acs\.netcetera\.ch/acspage/cap\?RID\=.*]]
https\://acs\.onlinesbi\.com/sbi/jsp/.*]]
https\://acs\.sia\.eu/cartasi/pareq/.*]]
https\://acs\.swisscard\.ch/acspage/cap\?RID\=.*]]
https\://acs1\.viseca\.ch/acspage/cap\?RID\=.*]]
https\://acs3\.3dsecure\.no/mdpayacs/pareq.*]]
https\://acs4\.3dsecure\.no/mdpayacs/pareq.*]]
https\://alphabank\.cardinalcommerce\.com/transaction/.*]]
https\://avantcard\.cardinalcommerce\.com/transaction/.*]]
https\://bankaljazira\.cardinalcommerce\.com/transaction/.*]]
https\://cap\.securecode\.com/acspage/cap\?RID\=.*]]
https\://cards\.indusind\.com/IndusindBank/jsp/.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/AndhraBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/BOB/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/BOBCards/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/CanaraBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/ComBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/CorporationBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/DenaBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/FederalBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/IndianBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/IOB/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/JKBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/KotakBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/KVB/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/SeylanBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/UCOBank/server/AccessControlServer.*]]
https\://cardsecurity\.standardchartered\.com/acspage/cap\?RID\=.*]]
https\://cbi\.electracard\.com/cbi/jsp/.*]]
https\://corpbank\.electracard\.com/corpbank/jsp/.*]]
https\://cosacs\.electrapay\.com/CosmosBank/jsp/.*]]
https\://eurobankmc\.cardinalcommerce\.com/.*]]
https\://eurobankvisa\.cardinalcommerce\.com/.*]]
https\://i3d\.borica\.bg/acspage/cap\?RID\=.*]]
https\://ibqmc\.cardinalcommerce\.com/.*]]
https\://ibqvisa\.cardinalcommerce\.com/.*]]
https\://kfh-b\.cardinalcommerce\.com/transaction/.*]]
https\://login\.myproducts\.tescobank\.com/arcotafm/saml/controllerCustomTB\.jsp.*]]
https\://marfinbank\.cardinalcommerce\.com/transaction/.*]]
https\://netsafe\.hdfcbank\.com/ACSWeb/jsp/.*]]
https\://pnb\.electracard\.com/pnb/jsp/.*]]
https\://sambabankmc\.cardinalcommerce\.com/.*]]
https\://sambabankvisa\.cardinalcommerce\.com/.*]]
https\://santanderpbmc\.cardinalcommerce\.com/.*]]
https\://santanderpbvisa\.cardinalcommerce\.com/.*]]
https\://savcreditmc\.cardinalcommerce\.com/.*]]
https\://savcreditvisa\.cardinalcommerce\.com/.*]]
https\://secure-code\.mlp\.de/acspage/cap\?RID\=.*]]
https\://secure.*\.arcot\.com/acspage/cap\?RID\=.*]]
https\://secure\.axisbank\.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer.*]]
https\://secure\.edb\.com/d3SecureAuthce2/d3Secure/authentication/post.*]]
https\://securecode\.abnamro\.nl/acspage/cap\?RID\=.*]]
https\://securecode\.ing\.nl/acspage/cap\?RID\=.*]]
https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/auth/SCode\.jsp.*]]
https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/auth/VBV\.jsp.*]]
https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/server/AccessControlServer.*]]
https\://sibacs\.electrapay\.com/SouthIndianBank/jsp/.*]]
https\://sparda\.wlp-acs\.com/flowGlobal\.wflow.*]]
https\://stanbicibtcbankweb\.cardinalcommerce\.com/transaction/.*]]
https\://thinkmoney\.cardinalcommerce\.com/.*]]
https\://tsys\.arcot\.com/acspage/cap\?RID\=.*]]
https\://ubagroup\.cardinalcommerce\.com/transaction/.*]]
https\://ubi\.electracard\.com/ubi/jsp/.*]]
https\://www\.3dsecure\.icicibank\.com/ACSWeb/EnrollWeb/ICICIBank/server/AccessControlServer.*]]
https\://www\.citibank\.co\.in/acspage/cap_nsapi\.so\?RID\=.*]]
https\://www\.monetaonline\.it/acs/insertPassword\?brand\=MasterCard.*]]
https\://www\.monetaonline\.it/acs/insertPassword\?brand\=Visa.*]]
https\://www\.mycardsecure\.com/acspage/cap\.dll\?RID\=.*]]
https\://www\.sebkort\.com/skm/acspage/cap\?RID\=.*]]
https\://www\.securepay\.hsbc\.co\.in/SecurePay/servlet/Authenticate.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*aib\.mc&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*aib\.visa&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*ftb\.mc&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*ftb\.visa&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*SAGA&.*]]
images\.coventrybuildingsociety\.co\.uk
img3\.moneygram\.com
indigo\.co\-operativebank\.co\.uk
iss\.gtbank\.com
lab\.lloydsbank\.com
liveperson\.net
marketing\.bankofscotland\.co\.uk
marketing\.halifax\-online\.co\.uk
marketing\.lloydsbank\.co\.uk
marketing\.tsb\.co\.uk
mc3\.retail\.santander\.co\.uk
mcmprod\.hsbc\.co\.uk
media\.barclays\.co\.uk
metrics\.barclays\.co\.uk
mujcz\.erasvet\.cz
nsc\.natwest\.com
nsc\.rbs\.co\.uk
nsc\.ulsterbank\.co\.uk
pioneer\.co\-operativebank\.co\.uk
press\.retail\.santander\.co\.uk
rac\.bankia\.es
reporting\.cbonline\.co\.uk
resources\.barclays\.co\.uk
road\.nationwide\.co\.uk
roll\.nationwide\.co\.uk
room\.business\.santander\.co\.uk
sc\.natwest\.com
sc\.rbs\.co\.uk
sc\.ulsterbank\.co\.uk
smetrics\.barclays\.co\.uk
smetrics\.nationwide\.co\.uk
sogecashnet\.sgeb\.bg
splash-screen\.net
staticres\.klikbca\.com
sucmetrics\.unicredit\.it
tppa\.bmo\.com
tts\.dlbank\.be
u8n\.business\.santander\.co\.uk
uni\.ibank\.nbg\.gr
web12\.columbiabank\.com
webtrends\.com
www\.analytics\-control\.com
www\.bankline\.natwest\.com/CWSLogon/analytics
www\.bankline\.rbs\.com/CWSLogon/analytics
www\.bankline\.ulsterbank\.co\.uk/CWSLogon/analytics
www\.bankline\.ulsterbank\.ie/CWSLogon/analytics
www\.t32\.pnc\.com
www3\.bankline\.natwest\.com
www3\.bankline\.rbs\.com
www3\.bankline\.ulsterbank\.co\.uk
www3\.bankline\.ulsterbank\.ie
www7\.nwolb\.com
www7\.onlinebanking\.natwestoffshore\.com
www7\.rbsdigital\.com
www7\.secure\.investec\.com
www7\.suntrust\.com
www7\.ulsterbankanytimebanking\.co\.uk
www7\.ulsterbankanytimebanking\.ie
ya\.ru
yellow\.co\-operativebank\.co\.uk
zaba\.hr/ezaba/

As you can see it's a pretty comprehensive list!

The above list shows why Dridex is so dangerous, as it takes the following information when
you access the banks in the above list:

  • Take Screenshots when you access something from the above list.
  • Records Formswhen you access something from the above list.
    Eg. (Username/Password/Date of Birth and pretty much any field that you type in)
It also grabs this information from the following browsers:
  • Internet Explorer
  • Firefox
  • Chrome
  • Opera
 In short, don't click on any of the current Word/Excel malware, it's not good.

Cheers,

Steve
Sanesecurity.com

2 comments:

Tom Pepper said...

Hi,

I accidentally downloaded this - but Mcafee picked it up and quarantined it, is my PC likely to be OK now?

Thanks
Tom

Chaa006 said...

Almost certainly not.