Dyre’s Developers Enhance their Trojan’s Functionality

According to Proofpoint, developers of malicious software have added enhanced features to the Dyre banker Trojan so it can gain advantage via the Secure Sockets Layer (SSL) certificate it now owns for interacting with the CnC infrastructure that commands-and-controls it.

Following one just examined sample, Proofpoint's investigators have found Dyre using one digital certificate that is actually meant for a firm known as Internet Widgits Pty Ltd.

They also found that for interacting with its command-and-control infrastructure, Dyre was linked to ports 4443 and 443.

And because Dyre's owners possess a certificate that allows interaction with the C&C system, they make harder security solutions' recognition of the e-traffic that's unlawful.

For the current Dyre sample, the researchers determined that one newly-added element named "browsersnapshot" garnered browser data such as private keys, client-side certificates and cookies stacked inside Windows Certificate Store that Firefox and Internet Explorer used.

Vice-President of Information Security and Governance Kevin Epstein at Proofpoint elaborated that even when Dyre couldn't sniff a session in progress, there would be sufficient information for it that would let the attacker disguise to behave like the browser operator as also show he was the legitimate end-user. Scmagazine.com published this, September 26, 2014.

Epstein further stated that the Dyre variant was as well capable of peering into registry of the contaminated PC that catalogued vital variables for applications loaded, while replicated some of the catalogued portion so the information could be utilized for what was referred to be "reconnaissance missions."

He said that Dyre's controllers, by creating profiles of hijacked enterprises, could find out the software primarily loaded; consequently, the exploits that would prove greatly effective while remaining undetected during future bigger-sized assaults.

During August 2014, according to Proofpoint, there was a phishing scam targeting JPMorgan Chase wherein Dyre was disseminated both via delivering it straight away camouflaged to be one Java update and via the RIG attack toolkit.

Previously this September, Salesforce a client relationship management major, cautioned about one online scam created for loading Dyre onto users' PCs. Now, based on examining that variant's configuration file, Proofpoint states that cyber-criminals are still targeting Salesforce.com.

» SPAMfighter News - 10/7/2014