Announcement Announcement Module
Collapse
No announcement yet.
Virus Alert:: Win32/Dyreza Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus Alert:: Win32/Dyreza

    Virus Alert:: Win32/Dyreza

    Virus Type: Trojan

    It has been reported that variants of a new banking Trojan dubbed as "Dyreza" are spreading.
    The malware mainly targets the customers of well
    known financial institutions running Microsoft Windows operating system.
    It
    propagates by using social engineering techniques or by means of spam messages pretending to be genuine mail received from financial institution containing either a Zip (having Dyre binary)or PDF as an email attachment exploiting the vulnerability (CVE-2013-2729) in unpatched versions of Adobe Reader to download the malware.
    The ZIP contains a self executing malware
    which installs itself on the target system on being extracted.

    The malware performs the following functions:
    • Steals infected bank customers’ online banking credentials.
    • Bypass SSL protection using browser hooking
    • Captures Keystrokes
    • Perform Man-in-the-middle attack to intercept network traffic.
    • Communicates with Command and Control server.

    The spam mail received by bank customers entices the user to download and extract the Zip file. One of the sample mails is shown below:

    Source: CSIS

    Also, the spam mail received by the target user sometimes contains a link from where a Zip file can be downloaded. It is shown below:

    Source: Phishme

    Aliases: TR/Dyreza.A.1[Avira], Win32/Battdil.A[ESET], Troj/Agent-AHXV
    [Sophos], Troj/Zbot-IRG [Sophos] Infostealer.Dryanges [ Symantec ],
    BACKDOOR!YR[McAfee], TROJANSPY:WIN32/DYZAP.A[Microsoft],
    Win32yre-D[Avast], TSPY_BANKER.WSTA[TrendMicro], W32/DYRE.A!TR[Fortinet].

    Installation:
    Various indicators of compromise for the "Dyreza " malware is given as follows:

    File System Changes:
    Upon execution, the malware creates the following file in the %Applicationfolder%"

    C:\Documents and Settings\%user%\Application Data\userdata.dat
    C:\Documents and Settings\% user%\Application Data\cmd.exe
    C:\Documents and Settings\All Users\Application Data\googleupdaterr.exe

    Copies itself to C:\Windows\[RandomName].exe

    Registry changes:
    The malware makes itself persistent by making a "RUN" registry key so as to execute itself at every startup.
    The entry is shown as follows:

    • HKCU\Software\Microsoft\Windows\Current Version\Run
    Set value: Cmd
    With data: C:\Documents and Settings\test user\Application Data\cmd.exe
    Or
    Set value: googleupdaterr
    With data: C:\Documents and Settings\All Users\Application
    Data\googleupdaterr.exe

    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath:
    "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName:
    "Google Update Service"

    Network communications:
    Dyreza Trojan communicates with its command and control server mentioned below, immediately after being extracted and executed.
    http://]192.XXX.XXX.61/cho1017/W512600.52818BB853DEE114E367C21952160412
    There are various other IP addresses with which the Trojan communicates.
    List is mentioned below:
    • 85.XXX.XXX.6:12591
    • 85.XXX.XXX.6:38191
    • 85.XXX.XXX.6:63791
    • 85.XXX.XXX.6:23856
    • 85.XXX.XXX.6:49456
    • 217.XXX.XXX.151
    • 23.XX.XX.205

    HTTP Requests:
    The malware sends the stolen data inclusive of infected bank customers’ online banking credentials and every keystroke of the infected system to its C2 server.
    It performs browser hijacking or man-in-the-middle attack to
    intercept traffic between the infected user and the targeted financial institution, before it gets encrypted using SSL connection.

    The malware performs MITM by injecting malicious code in the web browsers including chrome, Firefox, Internet Explorer, so that when infected user visits any of the banking sites, their credentials are stolen. The traffic if first redirected to the C2 server and then to the legitimate banking site.
    The data sent to the C2 server is shown below:

    << visit our website www.cert-in.org.in >>

    Source : Phishme.com

    Countermeasures:
    • Install the patch for the Adobe reader Vulnerability ( CVE-2013-2729):

    http://www.adobe.com/support/securit...apsb13-15.html
    • Delete the system changes made by the malware such as files created/registry entries /services etc.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
    • Locking out accounts after N number of incorrect login attempts
    • Configure browsers to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
    • Not allowing administrative access to systems, with the exception of special administrative accounts for administrators
    • Limiting or eliminating the use of shared or group accounts
    • Disable Auto run/Auto play.
    • Do not visit untrusted websites.
    • Enable firewall at gateway or desktop level.
    • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
    • Install and scan anti malware engines and keep them up-to-date.

    References:
    https://www.us-cert.gov/ncas/alerts/TA14-300A
    http://threatpost.com/us-cert-warns-...-trojan/109056
    http://threatpost.com/dyreza-banker-...-bypassing-ssl
    http://www.symantec.com/security_res...061713-0826-99
    https://www.csis.dk/en/csis/news/4262/
    http://www.esecurityplanet.com/malwa...com-users.html
    http://www.welivesecurity.com/2014/0...roup-accounts/
    http://about-threats.trendmicro.com/...PY_BANKER.WSTA
    http://blog.spiderlabs.com/2014/07/a...y-cutwail.html
    http://phishme.com/project-dyre-new-...-bypasses-ssl/
    https://malwr.com/analysis/NjQwMDZhY...BkNmMxMzYxNDc/

    http://www.sophos.com/en-us/threat-c...gent-AIBT.aspx
Working...
X