September 10, 2014 Leave a comment
The malware, also called Dyreza, designed to bypass SSL and steal login credentials, is prompting sofware vendors to email clients a “not us, guv” denial.
The Dyre banking trojan which was reported at the start of the Summer (source article: Security Researchers Warn of New Dyre Banking Trojan (eSecurityplanet) by Jeff Goldman, June 20, 2014) appears to be gathering pace such companies such as Salesforce this week felt compelled to mass-mail customers to tell them there is no specific vulnerability in their software.
Rather the Dyre or Dyreza trojan is designed to bypass SSL protection and steal banking credentials.
Delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice” the attack emails links to zip files on LogMeIn’s Cubby.com file storage service. Opening the zip file installs the malware, which then monitors all of the victim’s browser traffic, including SSL traffic and inserts itself in the stream, redirecting supposedly encrypted SSL traffic to its own page.
Using a technique called browser hooking, Dyre intercepts the un-encrypted traffic which it can then record and scan for financial details.
Apparently sufficient scare stories have spread over the Summer that Saleforce needed to point out that its software has not been compromised but does not go so far as to say “its you, dummy!” Which would be of more use, since Dyre relies entirely on social engineering of human beings for it’s attack vector. If no one felt the need to open suspect emails and click on unsolicited links, without checking or scanning them first, this kind of malware would sit uselessly on the servers.
Security site PhishMe recommends taking the following five steps to mitigate the threat from Dyre:
1. Remove the phishing emails from inboxes
2. Check proxy logs for traffic to Cubby, downloading zip files containing the name “documents” or “invoice”
3. Search for traffic / block the IPs 220.127.116.11, 18.104.22.168, and 22.214.171.124
4. IDS rules looking for double POST within a short period of time (this will catch copycats, too)
5. Look for zip files containing .exe or .scr files (Web, IDS, host-based, etc)
However, repeatedly hitting users over the head with a printout of “its you, dummy! Do NOT open suspect emails, DO NOT click on unsolicited links, CHECK and SCAN all downloads before opening” wrapped around a length of two by four until they remember some basic email security rules – that MIGHT, just might have an effect. AJS