Dyre Banking Trojan Explained

Greg Edwards

Dyre-Trojan-Online-Banking.pngHere is a scary scenario for anyone with a bank account and online banking access.  You get an email from your bank that says they have detected suspicious activity coming from specific IP addresses on your network.  The bank shares the suspicious IP addresses, and you vet this as a legitimate threat. 

Your tech team investigates, and can’t find anything running on the suspected workstations.  You are told antivirus is up to date and hasn’t detected anything.  A full scan was done.  The workstation is running fine, so no worries. It must have been a false positive from the bank. 

Wrong!  

You’ve been hit by a cyber-criminal gang using the Dyre Trojan. The Dyre Trojan is one of the most sophisticated pieces of malware in existence.  It installs itself through software vulnerabilities.  Once installed, it deletes all evidence that it is running.  Antivirus won’t detect it.  It typically runs as either Explorer.exe or SVCHost.exe – both Windows executables that are always running.  It collects credential information, so think any password you enter for anything.  Dyre sits dormant for days at a time, and then boom! - it contacts a C&C (Command and Control Center, the bad guy’s server) and dumps its payload.  The payload is all of your usernames and passwords it has collected over the past X number of months that it has been running.

Why can’t Dyre be eliminated?

The Dyre Trojan was first detected in 2013, so why hasn’t it been eradicated by now?  Did I mention it is one of the most sophisticated pieces of crimeware in existence?  Dyre is what is known as a polymorphic virus.  Once it infects a host machine, it replicates and sends itself out to everyone in your contact list.  Anyone that gets infected in turn sends out an entirely new variant.  Antivirus is useless against it.

Imagine a pandemic flu virus that changes with every new person infected.  There would be no vaccine, and unless you were immune from the start, you would eventually be infected.  This is how Dyre spreads.  It infects one machine, then changes its signature and sends itself out to all of your friends.

How do you get immunity?

The only protection is through vulnerability management and threat analytics that will stop the malware in its tracks.  Only advanced threat analytics can detect, isolate and ultimately stop cyber criminals like this.  Vulnerability management is a preventive measure, but it isn’t enough. Without the proper analytics and experts watching, there is no way to detect Advanced Persistent Threats (APTs) like this one.  Imagine knowing you are probably infected, but you have no way to know for sure.  It’s like an invisibility cloak for the gang of cyber criminals watching your every move. 

Real life story

Earlier this week (Jan 2016), WatchPoint helped an insurance agency defend themselves against a cyber-criminal gang that had installed Dyre (pronounced “dire”) on their primary accounting machine.  The bank notified them, and the scenario played out exactly as outlined above.  They actually ran three different antivirus scans, and none of them detected malware of any kind.  WatchPoint was installed, and the moment Dyre contacted the criminal’s server, we had them.  The infected machine was put into isolation and remediated. 

Without a comprehensive cyber security plan, this type of infection (Advanced Persistent Threat or APT) can go on for months before you know they are watching.  You will find out by either seeing that your bank account has been drained, or the FBI will contact you to let you know you have been breached.  The average APT is active for 208 days before being detected.  You need to identify and isolate the threat within one hour, otherwise, the damage may already be done.  In today’s world where cyber crime is more lucrative than drug trafficking, your cyber security protection must include advanced threat analytics with security experts constantly watching your back.

With WatchPoint's Security Solution you will:

       Green-Checkmark-25x24.png Know someone is securing your business.

       Green-Checkmark-25x24.png Have true visibility into your digital assets.

       Green-Checkmark-25x24.png Have a support staff dedicated to safeguarding your network.

watchpoint overview video

Share this: