Discovered: January 20, 2012
Updated: February 16, 2016 4:43:54 PM
Type: Worm
Infection Length: Varies
Systems Affected: Windows

W32.Cridex is a threat that adds the compromised computer to a botnet and injects itself into the victim’s web browser in order to steal information, including banking credentials.

The malware typically arrives through emails with malicious attachments. The threat can self-replicate by spreading to removable devices.

Once the threat executes, it opens a back door on the computer. The malware downloads additional files and adds the computer to a botnet. It is capable of logging keystrokes and capturing screenshots. It can also inject content into banking sites that the user visits, allowing the threat to steal any sensitive information that the victim inputs.

The threat is mainly distributed through emails with malicious attachments. It can also self-replicate by copying itself to mapped and removable drives.

The email usually includes a Microsoft Office attachment with malicious macros. The body of the email usually contains social engineering in an attempt to trick the user into opening the file.

The message typically claims that the attachment is an invoice or shipment notice. If the user opens the document, then they are prompted to enable Office macros, which are disabled by default. If the user does this, then the macro will execute, downloading and installing W32.Cridex on the computer.

W32.Cridex is capable of propagating by itself. After infecting a computer, the threat can spread by copying itself to network drives and attached local storage devices, such as USB keys. The malware runs any time a compromised drive is accessed.

When the threat is executed, it registers the compromised computer with one of Cridex’s botnets. The threat then communicates and receives commands with the bot controller over a peer-to-peer (P2P) network of infected computers. The P2P functionality was designed to make the threat more resilient to takedowns, as there’s no single central command-and-control (C&C) server that distributes orders.

The commands that are sent to an infected computer may instruct the malware to perform a variety of activities. The threat can open a back door on the computer, giving the attackers greater access to resources. It can download additional files or modules to further extend its capabilities.

The malware can also perform a variety of information-stealing activities, such as logging keystrokes and capturing screenshots. It can also inject itself into browser processes to monitor communications and steal information, such as passwords, cookies, and web form content.

If the threat detects that the user is visiting a specific banking website, it injects malicious code into the browser to display fraudulent web pages. This content mimics the appearance of a banking site’s login page or transaction section, so any information that the user inputs is sent to the attackers.

Geographical distribution
Symantec has observed the following geographic distribution of this threat:

Symantec has observed the following global Cridex infection trends between January and October 2015:

Symantec protection
The following Symantec detections protect against this threat family.


Intrusion Prevention System
Email protection
Symantec Messaging Gateway ’s Disarm technology also protects computers from this threat by removing the malicious content from the attached documents before they even reach the user. Email-filtering services such as Symantec Email can help to filter out potential targeted attack emails before they can reach users.

For more information, please see the following resources:

Antivirus Protection Dates

  • Initial Rapid Release version January 20, 2012 revision 017
  • Latest Rapid Release version May 17, 2019 revision 020
  • Initial Daily Certified version January 21, 2012 revision 009
  • Latest Daily Certified version May 18, 2019 revision 002
  • Initial Weekly Certified release date January 25, 2012

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Laura O'Brien

Discovered: January 20, 2012
Updated: February 16, 2016 4:43:54 PM
Type: Worm
Infection Length: Varies
Systems Affected: Windows

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Ensure security software is up-to-date and active
1.3 Use email filtering
2. Infection methods
2.1 Email attachments
2.1.1 Malicious Microsoft Office macros
2.2 Self-replication
3. Functionality
3.1 Installation
3.2 Botnet addition
3.3 Back door
3.4 Information theft
3.5 Download components
4. Additional information
4.1 FBI takedown
4.2 Resources

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Be aware of attackers’ social-engineering techniques and avoid opening attachments or links in emails that are sent by unknown recipients. Attackers attempt to entice users into opening attachments or links in their messages in many different ways, such as claiming that the attachment is a bill, a fax notification, a special offer, or a delivery notice.

Do not enable Microsoft Office macros. Attackers often implement macros with malicious code into their documents. They then attach these malicious files to spam or spear-phishing emails, and try to trick users into opening them and enabling the macros. If the user agrees to activate macros, then the malicious code downloads additional threats from a remote location onto the computer. Microsoft disables macros by default because of this security risk. The company gives users the option to enable them, though this would not be recommended.

Cridex is capable of spreading through removable drives. Based on this, users are advised to take caution when connecting such a device to their computer. It’s a good security practice to disable the AutoRun feature so that removable devices do not execute when they are inserted into a computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on computers with certain updates applied. Removable drives should be disconnected when not required. If write access is not required, users should enable read-only mode if the option is available on the drive.

1.2 Ensure security software is up-to-date and active

Symantec and Norton products detect W32.Cridex and its variants. Symantec reputation-based detection technologies are also able to proactively protect against many of the files used in these attacks. Keep your security software up to date to protect yourself from the latest variants of this threat.

1.3 Use email filtering
Email-filtering services such as Symantec Messaging Gateway and Symantec Email can help to filter out potential targeted attack emails before they reach the intended users.


The threat may use the following infection methods to compromise the affected computer.

2.1 Email attachments
W32.Cridex is typically spread through spam or phishing emails with malicious attachments. The emails use social-engineering techniques to convince the user to open the attachment. For example, some Cridex emails claim that the attachment is an invoice for water services or web hosting, which requires the user’s attention. Others claim that the user has received a fax containing a hotel itinerary.

The following subjects were observed in Cridex emails that were delivered to English and French speakers in October and November 2015:

  • Comptabilité de PACAR : facture n° AAAAAAAA du 26/10
  • Your Norwich Camping Order has shipped!
  • Facture
  • devis nettoyage
  • Scan Data from FX-D6DBE1
  • Your MF Communications bill for
  • Please prepare below requirements for your Pouch
  • Votre FACTURE
  • Facture / actual Rennes
  • [Scan] 2015-10-14 5:29:54 p.m.
  • "Invoice-302673.doc"
  • Insurance
  • Water Services Invoice
  • Your latest DHL invoice
  • Copy of Invoice(s)
  • order-so00653333-1.doc

The most recent Cridex email attachments are Word and Excel documents with malicious macros installed. These macros are used to drop the payload onto the affected computer.

2.1.1 Malicious Microsoft Office macros
A macro is made up of a series of commands and instructions grouped in a single function, letting the user perform an action much faster than if it was manually conducted. Microsoft created macros for its Office software suite to allow users to automate frequently used tasks. They are written in a programming language called Visual Basic for Applications (VBA).

While macros were designed for legitimate purposes, attackers have created some that can perform malicious actions. The attackers embed the macros in Microsoft Office documents and spread them in spam or targeted emails.

Microsoft is aware of this issue and has since disabled macros from loading in Office documents by default. In their attempts to circumvent this protection, attackers use social-engineering techniques to convince users to enable macros to run.

For Cridex campaigns, the attackers code the malicious macros to drop the malware onto computers. If the user chooses to enable macros, then the threat is installed.

Symantec detects the Word documents containing the malicious macros seen in Cridex campaigns as W97M.Downloader .

2.2 Self-replication
Cridex is capable of spreading onto removable devices connected to the computer. It propagates by copying itself to mapped network drives and attached local storage such as USB keys. If an infected device is plugged into another computer and is set to execute once this occurs, then the malware will install itself on this computer.

Once the threat has compromised the computer, it may perform the following actions.

3.1 Installation
When Cridex is executed, it creates a loader module on the computer. The loader reads its configuration details to allow it to find out the remote location of the threat’s worker module, which contains all of Cridex’s main functionality.

3.2 Botnet addition
The attackers use multiple, segregated peer-to-peer (P2P) botnets for Cridex’s infrastructure. By using P2P botnets, the attackers don’t need to route their commands through a centralized location. The P2P nature of the botnets means that commands are propagated through multiple connections, making the infrastructure resilient to takedowns. The fact that the attackers use more than one botnet makes the threat even more difficult to tackle.

Once the worker module is downloaded and installed, the loader adds the compromised computer to one of Cridex’s botnets. The loader then retrieves a list of other bots, commands, and updated modules. The Cridex malware has been observed using HTTPS on unconventional ports to connect to other bots.

A Cridex botnet includes C&C servers which are either compromised third-party computers or are owned by the attackers. The network also contains compromised computers; some are classed as “super peers” and others act as “peers.” The super peers receive the most up-to-date commands and configuration details from the attacker, and spread them to the normal peers.

Once executed, the worker module takes charge of performing the malware’s main commands. It connects with other peers and servers through HTTPS or raw TCP. The data that the module sends and receives is encrypted and compressed, making the traffic harder to detect.

3.3 Back door
Cridex opens a back door on compromised computers to give the attackers remote access to the entire computer. It does this by setting up a Virtual Network Computing (VNC) server, mini web server, or a Socket Secure (SOCKS) server.

The threat has been observed connecting to domain names generated with an algorithm and predetermined IP addresses. When the attackers have this back door access, they can monitor network traffic. They can also upload, download, and execute files.

3.4 Information theft
Cridex includes several information-stealing features, letting the attackers obtain a huge amount of the victim’s sensitive information and take over their online accounts. The threat can capture screenshots and log keystrokes. It also injects itself into web browsers to display its own content, and gather saved passwords, cookies, or data entered into forms.

The malware waits until the user visits online banking sites that are listed in its configuration file. Once this happens, the malware injects its own web content into the website’s HTML code in order to mimic the appearance of the site’s login and transaction pages.

If the user inputs their details into these fraudulent web pages, then their data is saved into a file and is sent to the attacker’s remote location. This gives the attackers the means to access the victim’s bank account. They could directly steal the victim’s money or sell this data to other cybercriminals.

3.5 Download components

Cridex is capable of downloading additional modules to update its functionality or C&C infrastructure.

The following details activities surrounding Cridex, along with resources to learn more about hte threat.

4.1 Law enforcement takedown
On October 13, 2015, international law enforcement agencies announced that they sinkholed thousands of Cridex-compromised computers , releasing them from the botnet that they were on. The sinkholing operation involved the entities redirecting the bots’ traffic away from Cridex C&C servers to benign substitute servers. The police also arrested one man in connection with the malware’s activities.

While the crackdown had an impact on Cridex’s infrastructure, it hasn’t entirely ended the threat’s campaigns. Symantec has observed a continuation of W32.Cridex activity following the takedown.

Symantec has seen and blocked multiple email-based malware runs numbering in the tens of thousands just days after the takedown. The emails used in these attacks are being blocked by our email protection technologies in Symantec Email and Symantec Messaging Gateway .

We also observed Cridex infections occurring after the October 13 takedown announcement. Cridex infections increased between October 12 and October 15, before dropping again. Then from October 20, infections shot up and continued at these heights up to the end of the month. The following chart shows Cridex infection activity before and after the takedown.

While law enforcement crackdowns against malware infrastructure can play a significant role in disrupting cybercriminals’ activities, users should not assume that the threat is gone after these actions.

4.2 Resources
For more information relating to this threat family, please see the following resources:



Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Laura O'Brien

Discovered: January 20, 2012
Updated: February 16, 2016 4:43:54 PM
Type: Worm
Infection Length: Varies
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Laura O'Brien