Presentation is loading. Please wait.

Presentation is loading. Please wait.

In Dire Straits: Straight Talk on Dyre

Published byLeon Ferguson Modified over 8 years ago

Similar presentations

Presentation on theme: "In Dire Straits: Straight Talk on Dyre"— Presentation transcript:

1 In Dire Straits: Straight Talk on Dyre
August 2015 Eric R. Jenko, Senior Security Researcher, CTU

2 Dyre :: Overview Dyre - a.k.a. “Dyreza”, “Dyzap”, “Dyranges”
Emerged early June 2014 after Operation Tovar Evolved to be one of the most prominent banking trojans in circulation Commonly referred to as a “banking trojan” Primarily targets online banking websites to harvest credentials to commit Automated Clearing House (ACH) and wire fraud May be more appropriate to consider it like a web proxy It has the capability to “target” any website At its core, it monitors traffic looking for specific targets When a target is encountered, Dyre intercepts and manipulates the requests and responses

3 Dyre :: Distribution Vectors
UPATRE CUTWAIL SPAM Primarily distributed by spam from the Cutwail botnet Initially via links to Dropbox or Cubby file storage services Later leveraging Lerspeng and, most prominently, Upatre Recent campaigns have used two other downloaders Pony (a.k.a., “Fareit”) and Ruckguv (new) Dyre (similar to Bugat v5) leverages private spam mailers

4 Dyre :: Architecture and Operation
Dyre consists of two modules A dropper and the main DLL (both 32-bit and 64-bit versions) Critical data is stored in the DLL’s resource section Initial config, RSA key, Botnet ID, C2 servers Modified copy is saved to and launched from C:\Windows Registers “Google Update Service” system service for persistence Newer versions are VM-aware – Checks available CPUs Dyre’s persistence mechanism and drop location

5 Dyre :: Operation :: Connect and Register
Dyre checks Google for network connectivity Dyre obtains its external IP address STUN requests to hard-coded servers (Session Traversal Utilities for NAT) Fallback method via icanhazip.com Dyre registers with the C2 and pulls configs/plugins (using SSL) Register the Bot: GET /CAMP_ID/BOT_ID/5/cert/EXT_IP/ Register the OS of the Bot: GET /CAMP_ID/BOT_ID/0/Win_XP_32bit/1023/EXT_IP/ Send “alive” signal: GET /CAMP_ID/BOT_ID/1/FcJgUwyCWvgLPymGiJGwUkwCVcBMmiD/EXT_IP/ Send NAT status: GET /CAMP_ID/BOT_ID/14/NAT/Port%20restricted%20NAT/0/EXT_IP/ CAMP_ID : Campaign ID | BOT_ID : Individual Bot identifier | EXT_IP : External IP Address

6 Dyre :: Operation :: Config and Plugin Retrieval
Web Injects config: GET /CAMP_ID/BOT_ID/5/respparser/EXT_IP/ Web Fakes config: GET /CAMP_ID/BOT_ID/5/httprdc/EXT_IP/ Grabber plugin: GET /CAMP_ID/BOT_ID/5/twgARCH/EXT_IP/ VNC plugin: GET /CAMP_ID/BOT_ID/5/n_vncARCH/EXT_IP/ TV plugin: GET /CAMP_ID/BOT_ID/5/n_tvARCH/EXT_IP/ Back Connect plugin: GET /CAMP_ID/BOT_ID/5/cfg_bc/EXT_IP/ I2P plugin: GET /CAMP_ID/BOT_ID/5/i2pARCH/EXT_IP/ CAMP_ID : Campaign ID | BOT_ID : Individual Bot identifier | EXT_IP : External IP Address | ARCH : Architecture

7 Dyre :: Operation :: Web Injects
Server Injects Bank Page Web Inject Server Config Match Acme Bank Injected Web Page user:eric pw:password123 Acme Bank HTTP POST: user & pw, browser info, cookies Exfil Server Dyre’s injects happen dynamically at the C2 Allows for greater flexibility and less maintenance Complicates analysis and investigation

8 Dyre :: Operation :: Web Fakes
Web Fake Server Fake Acme Bank Page Config Match Acme Bank Fake Web Page user: eric pw: password123 Acme Bank Subsequent requests go to Web Fake Server Target site is mimicked and hosted by the threat actors Allows actors to dynamically change site pages and content Complicates analysis and investigation

9 Dyre :: Command & Control Infrastructure
Geographic distribution of Dyre C2 servers (proxy layer) as of December 2014 Dyre uses a proxy layer to hide its backend (true) C2 infrastructure Dyre can fall back on two additional control mechanisms: Domain Generation Algorithm (DGA) 1, char domains daily for 1 of 8 ccTLDs in Asia & Pac. Islands Invisible Internet Project (I2P) plugin (limited usage)

10 Dyre :: Best Practices To reduce the risk and impact of compromises: Staff Education/Training: Ensure your organization’s security awareness and training program includes the dangers of and social engineering and utilizes up-to-date threat intelligence Filtering: Where feasible, employ filters and scan the contents of attachments It’s also advisable to consider blocking with executable attachments, including those found in archives (ZIP, RAR, etc.) Malware Sandbox Analysis: Such inline technology should conduct automated analysis of hyperlinks and/or attachments within incoming to gauge potential maliciousness Endpoint System Controls: Endpoint controls should limit users’ ability to open malicious attachments and prevent malware installation and execution. Keep end-user antivirus, operating system, browser, and other third-party software up to date. Ensure an appropriate level of logging is enabled on hosts and the logs are routinely reviewed for anomalous/malicious activity Network-based Controls: Block I2P traffic at corporate firewalls Apply post-infection controls such as firewall policies, web proxies For additional information on Dyre, please read our Threat Analysis publication:

11 Questions? Eric R. Jenko

Download ppt "In Dire Straits: Straight Talk on Dyre"

Similar presentations

TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.

Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Department Of Computer Engineering

Department Of Computer Engineering
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
Security Guidelines and Management

Security Guidelines and Management
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

Similar presentations

Ads by Google