Wednesday, 10 September 2014

News: Dyre Banking Trojan gathers pace [Guest Post]


Image: safe6 from keyservice.kiev.ua
The malware, also called Dyreza, designed to bypass SSL and steal login credentials, is prompting sofware vendors to email clients a "not us, guv" denial.

The Dyre banking trojan which was reported at the start of the Summer (source article: Security Researchers Warn of New Dyre Banking Trojan (eSecurityplanet) by Jeff Goldman, June 20, 2014) appears to be gathering pace such companies such as Salesforce this week felt compelled to mass-mail customers to tell them there is no specific vulnerability in their software.

Rather the Dyre or Dyreza trojan is designed to bypass SSL protection and steal banking credentials. Delivered via phishing emails with the subject lines "Your FED TAX payment was Rejected" and "RE: Invoice" the attack emails links to zip files on LogMeIn's Cubby.com file storage service.


Opening the zip file installs the malware, which  then monitors all of the victim's browser traffic, including SSL traffic and inserts itself in the stream, redirecting supposedly encrypted SSL traffic to its own page. Using a technique called browser hooking, Dyre intercepts the un-encrypted traffic which it can then record  and scan for financial details.

Apparently sufficient scare stories have spread over the Summer that Saleforce needed to point out that its software has not been compromised but does not go so far as to say "its you, dummy!" Which would be of more use, since Dyre relies entirely on social engineering of human beings for it's attack vector. If no one felt the need to open suspect emails and click on unsolicited links, without checking or scanning them first, this kind of malware would sit uselessly on the servers.

Security site PhishMe recommends taking the following five steps to mitigate the threat from Dyre:

  1. Remove the phishing emails from inboxes 
  2. Check proxy logs for traffic to Cubby, downloading zip files containing the name “documents” or “invoice” 
  3. Search for traffic / block the IPs 85.25.148.6, 217.12.207.151, and 192.99.6.61 
  4. IDS rules looking for double POST within a short period of time (this will catch copycats, too) 
  5. Look for zip files containing .exe or .scr files (Web, IDS, host-based, etc) 

However, repeatedly hitting users over the head with a printout of "its you, dummy! Do NOT open suspect emails, DO NOT click on unsolicited links, CHECK and SCAN all downloads before opening" wrapped around a length of two by four until they remember some basic email security rules - that MIGHT, just might have an effect. AJS


About Allan J. Smithie
Allan J. Smithie is a journalist and commentator based in Dubai.

No comments:

Post a Comment

At least try to be nice, it won't kill you...