Malware has been around for a long. You are asked to investigate a particular malware and answering the following questions (in complete sentences) based on Internet research:
What is the common name and any pseudonyms or variant names?
The malware dyreza has been a threat to the banks as it tries to steal the credentials of the users when they login to the website of banks. The banks have been the victims of this malware that is why it is also known as banking malware. However, this name was given just to its attack on one specific name, the real name or common know of this malware is Dyreza and is a threat to security. There are other names as well that are used for same malware, it is also called Dyre for short (Kirk, 2014). Some other variant names also exist for this malware that is Dyranges, Dyzap, and Battdil (Micro, 2014).
What type of malware (virus, worm, etc)?
Dyreza uses a technique that is known as browser hooking that lets the malware gain access to unencrypted web traffic without any knowledge of the user (Lord, 2012). The user thinks that he has established a secure connection with the server, but in real Dyreza is diverting the data to its own server, it works like a Trojan horse or Trojan, so it belongs to Trojan type of malware as it appears to be a normal program or a secure connection to the user.
When was the malware released and, if known, by whom?
Dyreza malware was first released in June 2014 as it attempted to steal credentials of users who tried to log in to banks for their online accounts (Certeza, 2014). It started it working by successfully injecting its code into local browser processes and monitoring login sessions. Later in September 2014, it started attacking IT supply chain companies and the first target was salesforce.com (Constantin, 2015).
How was the malware distributed?
Dyreza was distributed with the help of emails containing attachments of invoices as “.zip” files in order to attract the users to open that attachment. As it is a Trojan horse that looks like a normal file, however in order to reach the users as spam messages, the developers have used legitimate domains so that they can avoid URL scanners (Kirk, 2014). The attachments may be different documents as well but with the hidden malicious macro scripts. Once the user opens the attached document it infects the whole computer and let the malware to get into the browser so that it can get into the establishment of the secure network when the user tries to gain access to their desired websites.
What type of computers was vulnerable (hardware, operating system, etc)?
Dyreza has a different way of attacking the computer systems in order to gain access to the establishment of a secure connection to gain user’s credentials without user knowledge. The first step that Dyreza takes in its attack is asking OS about the number of CPUs it is running. It is because if the operating system shows it is running only one CPU then it Dyreza will lose its interest (Ducklin, 2015). However, nowadays there are very few computer systems that have only one CPU, once Dyreza identifies that OS is running more than one CPU it executes its hidden code and gets into the browser to extract information or wait for the user to access certain websites.
What was the vulnerability that was exploited?
Dyreza has been doing a lot of interesting things last year, some of which included bypassing SSL and targeting users who have been using specific business websites. Trojan has recently been disclosed a CVE-2014-4114 vulnerability in Windows operating system as it was first used by Sandworm attackers (Fisher, 2014). It appeared in spam email messages with PPT attachment that exploits known as “Windows OLE Remote Code Execution Vulnerability”. If the software or operating system is not updated then the arbitrary code is executed and Dyreza is downloaded to the affected system. Another vulnerability that was exploited by Dyreza is CVE-2013-2729, which is caused by a.PDF file attachment when this attachment is opened it downloads a variant of Dyreza TSPY_DYRE.EKW that is a variant of Dyreza (Gregorio, 2014).
How extensive was the attack (location, number of computers, etc)?
Dyreza has been infecting a number of computers starting from June 2014, it is stated that the number of computers that have been affecting by this malware is around 80,000 and this number is expected to increase as it has been affecting Windows 10 and Microsoft Edge as well (Fadilpasic, 2015). It is alarming for all the computers as the sensitive credential information of users will be at risk if this malware gets into the system once.
Was it a zero-day exploit? Why or why not?
A zero-day attack is the most dangerous in its nature and can leave the computers and application totally vulnerable. This kind of attack is done on the vulnerability of application before the vendor of application knows about it or the attack is not spread around. The best way to mitigate the risk of this attack for organizations is to hire a professional who could perform a good technical vulnerability assessment of applications in order to ensure the security of application and information.
What was the motive for the virus?
The motive of Dyreza malware was to extract the sensitive information that users mostly use for logging into their bank’s accounts or some other online accounts. Once the attackers gain access to credentials he will be in total control of that account (Kirk, 2014). The most alarming motive of this malware is that the user is never aware of the fact that his credentials are being transferred to another server set by the attacker.
List some security solutions that could have taken to prevent the distribution of the malware?
There are some practices that can be taken in order prevent the distribution of Dyreza, one solution is that first to better know the policies of banks, and if you receive an email from a bank where you do not have an account immediately delete that email. The second thing to do if users want to prevent this malware is that to delete any suspicious email, and if the email contains any link then delete it as well. Installing an anti-malware solution with email support that would eliminate the chances of opening corrupt files. The final solution is that if the user suspects attack of Dyreza then the user should change its bank’s account password from another account (Certeza, 2014).
Certeza, R. A. (2014, 10 29). The Dire Implications of DYREZA. Retrieved from TrendMicro: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3139/the-dire-implications-of-dyreza
Constantin, L. (2015, 9 30). Dyreza malware steals IT supply chain credentials. Retrieved from PC World: http://www.pcworld.com/article/2987626/dyreza-malware-steals-it-supply-chain-credentials.html
Ducklin, P. (2015, 4 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved from Naked Security: https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-
Fadilpasic, S. (2015, 11 19). Updated Dyreza virus targets Windows 10 and Edge users. Retrieved from ITProPortal: http://www.itproportal.com/2015/11/19/updated-dyreza-virus-targets-windows-10-and-edge-users/
Fisher, D. (2014, 10 29). Dyreza Banker Trojan Attackers Exploiting CVE-2014-4114 Windows Flaw – See more at: https://threatpost.com/dyreza-banker-trojan-attackers-exploiting-cve-2014-4114-windows-flaw/109071/#sthash.ritHp3IE.dpuf. Retrieved from Threat Post: https://threatpost.com/dyreza-banker-trojan-attackers-exploiting-cve-2014-4114-windows-flaw/109071/
Gregorio, R. J. (2014, 10 16). Old Adobe Vulnerability Used in Dyreza Attack, Targets Bitcoin Sites. Retrieved from TrendMicro: http://blog.trendmicro.com/trendlabs-security-intelligence/old-adobe-vulnerability-used-in-dyreza-attack-targets-bitcoin-sites/
HASHEREZADE. (2015, 11 4). A Technical Look At Dyreza. Retrieved from MalwareBytes Lab: https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyreza/
Khandhar, B. S.-G. (2014, 12 11). Dyre Banking Trojan. Retrieved from Secure Works: https://www.secureworks.com/research/dyre-banking-trojan
Kirk, J. (2014, 6 16). New powerful banking malware called Dyreza emerges. Retrieved from PC World: http://www.pcworld.com/article/2364360/new-powerful-banking-malware-called-dyreza-emerges.html
Lord, N. (2012, 10 12). Common Malware Types: Cybersecurity 101. Retrieved from Vera Code: https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101
Micro, T. (2014, 10 8). A Closer Look At DYRE Malware, Part 1. Retrieved from Trend Micro: http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-dyre-malware-part-1/