News: Dyre Banking Trojan gathers pace

Image: safe6 from keyservice.kiev.uaThe malware, also called Dyreza, designed to bypass SSL and steal login credentials, is prompting sofware vendors to email clients a “not us, guv” denial.

The Dyre banking trojan which was reported at the start of the Summer (source article: Security Researchers Warn of New Dyre Banking Trojan (eSecurityplanet) by Jeff Goldman, June 20, 2014) appears to be gathering pace such companies such as Salesforce this week felt compelled to mass-mail customers to tell them there is no specific vulnerability in their software.

Rather the Dyre or Dyreza trojan is designed to bypass SSL protection and steal banking credentials.

Delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice” the attack emails links to zip files on LogMeIn’s Cubby.com file storage service. Opening the zip file installs the malware, which  then monitors all of the victim’s browser traffic, including SSL traffic and inserts itself in the stream, redirecting supposedly encrypted SSL traffic to its own page.

Using a technique called browser hooking, Dyre intercepts the un-encrypted traffic which it can then record  and scan for financial details.

Apparently sufficient scare stories have spread over the Summer that Saleforce needed to point out that its software has not been compromised but does not go so far as to say “its you, dummy!” Which would be of more use, since Dyre relies entirely on social engineering of human beings for it’s attack vector. If no one felt the need to open suspect emails and click on unsolicited links, without checking or scanning them first, this kind of malware would sit uselessly on the servers.

Security site PhishMe recommends taking the following five steps to mitigate the threat from Dyre:

1. Remove the phishing emails from inboxes
2. Check proxy logs for traffic to Cubby, downloading zip files containing the name “documents” or “invoice”
3. Search for traffic / block the IPs 85.25.148.6, 217.12.207.151, and 192.99.6.61
4. IDS rules looking for double POST within a short period of time (this will catch copycats, too)
5. Look for zip files containing .exe or .scr files (Web, IDS, host-based, etc)

However, repeatedly hitting users over the head with a printout of “its you, dummy! Do NOT open suspect emails, DO NOT click on unsolicited links, CHECK and SCAN all downloads before opening” wrapped around a length of two by four until they remember some basic email security rules – that MIGHT, just might have an effect. AJS

How-to: Secure the Weakest Link behind the Keyboard – Part II

Image: chain link 2 by unknownNow for the seriously weak link – you.We busy little bees rush in, skim-read, ignore warnings, know better than everyone else, are highly suggestible, insatiably curious and when on-line, generally risk-blind.

And that’s on a good day. The rest of the time we go skipping through the online minefield with gay abandon and the kind of blasé wilfulness that would get us killed crossing the street. Read more of this post

How-to: Secure the Weakest Link behind the Keyboard – Part I

Image: Weakest link by unknownYou can have all have anti-virus software installed in Windows, UAC enabled, UEFI battening down the system boot, anti-malware and double firewalls; in theory, all your software should be perfectly secure. However, the weakest link in all computer security remains: the user.

You might think all was secure the day you un-boxed your machine; as Mr Cole Porter said, ain’t necessarily so. Read more of this post

How-to: Remove Ransom-ware with Kaspersky Rescue Disk

Kaspersky Rescue Disk utilityFollowing our last security How-to, Identify the Troj/Urausy Ransom-ware infection, this describes using an anti-virus removal tool from Kaspersky to deal with the malware from my esteemed colleague’s laptop.

To create a bootable Kaspersky Rescue Disk, you will need a clean, non-infected, computer with Internet access and a DVD or CD burner, OR, if the infected machine lacks an optical drive, a USB flash drive you can wipe and install Kaspersky Rescue Disk onto.

You will also need to be able to call up a one-time boot menu (usually the f12 key at power-on) and make sure you can change the boot order in the infected machine’s BIOS so that you can boot into the Kaspersky Rescue Disk in place of your Windows install. Read more of this post

How-to: Identify the Troj/Urausy Ransom-ware infection

Identify the Troj/Urausy Ransom-ware familyAcknowledging the risk of turning this into ‘Security Theatre Monthly’, the latest malware How-to concerns a particularly duplicitous item of malware; what we now call ‘ransom-ware’. This is a malicious trojan which purports to be from a law enforcement agency; variations include the FBI, Interpol and in this case, the UK Serious Organised Crime Agency.

All variants lock your Windows machine under the bogus claim that you have been traced pirating material on the Internet and all demand on-line payment of a ‘fine’ to ‘unlock’ your machine. DO NOT PAY ANYTHING. It is a SCAM.

No law enforcement agencies do this. There are no criminal charges, no court proceedings, so why would you pay a fine? Read more of this post

How-to: Choose FAT, exFAT or NTFS file systems [Guest Post]

No, it’s not the latest diet fad. The story goes like this; I started to migrate a Windows Vista machine to Windows 7 (not for myself, I should add). When I plugged in an external drive for ‘Easy Transfer’  (this is Vista, so ‘easy’ is a relative term), the program decided it couldn’t cope with a FAT32 format drive.

I know; how long has that FAT32 drive sat around? Never mind. My choices to reformat are: exFAT or NTFS. What do I use? I’m no digital storage expert, but here goes… Read more of this post

How-To: Remove Rvzr-A.Akamaihd Pop-Up Virus

Rvzr-A.Akamaihd.Net Pop-Up ad-wareA colleague just got hit by another one of these insidious little blighters. We know how it got in – Internet Explorer 11 – but not the source. I suspect my colleague clicked on a close or cancel button in a pop-up which actually ran some malicious code. We know what and when it was installed – a program in this case masquerading as Rich Media Viewer, on May 16th. We got the full range of initial symptoms. We also got rid of it inside ten minutes, before it could do any further damage.

Rvzr-a.akamaihd.net is another unauthorised adware client; using a full range of false pages and pop-ups, it highlights web page text for adware popups, opens tabs onto Trojan pages when you open your browser, and initiates more popups when you open a new tab.

Fortunately it is relatively easy to exterminate, but do be aware there are new variants hiding under new names, so check for updated instructions on the web whenever you come across an instance of infection. Read more of this post

Follow

Get every new post delivered to your Inbox.

Join 81 other followers