Dyre straits, the Sultan of ping

There is no shortage of malware developers out to get their money for nothing and their chicks for free. A new remote access trojan (RAT) called Dyre (or Dyreza) is targeting banks. This malware has been discovered by Phishme.

Dyre utilises a new method of browser hooking on IE, Firefox and Chrome, in order bypass SSL and steal bank login credentials. The malware positions itself as a man-in-the-middle attack – it intercepts data while it appears that the user is still on a secure connection. So far, this RAT has targeted customers of Bank of America, Natwest, CitiBank, RBS, and Ulsterbank. It can easily be redirected to any other bank or non-bank target such as Facebook or Gmail.

The user has no indication that the system is infected with Dyre, and will believe that the communication is protected through SSL. The malware spreads through phishing emails which entice the user to click on an attachment. CSIS believe that the gang pushing Dyre may soon try to distribute it by masquerading as a Flash Player update.

Some aspects of Dyre indicate that at this stage it is relatively unsophisticated. Unlike Zeus, it has no encryption capabilities (data is sent back to the server in cleartext), it does not have many-to-one relationships with the command-and-control servers, and file names are not randomised.

Why worry, about these brothers in arms? Is this the walk of life, or is this a new Sultan of ping, so far away? If the intention of the controllers of Dyre is to improve its capabilities, to offer it as part of Crime-as-a-Service, or to further develop it for use in-house within the cyber gang, then it is potentially a more pernicious threat. As long as cybercrime provides greater payoff than installing microwave ovens, custom kitchen deliveries, moving refrigerators and moving colour TVs, there will be a constant stream of new malware such as Dyre.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: