Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.
As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.
What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.
Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?