Dyre Summer Renovation: Randomized Config File Names Keep Antivirus Engines Guessing
How many
malware builds would you guess Dyre compiled and spammed out recently? IBM
Security X-Force researchers have counted no less than nine different malware
builds with actual code changes spread by this highly active crimeware project
— and that’s in the past week alone.
Dyre Is in Constant Evolution
The Dyre
Trojan is an ever-evolving advanced threat. While most of the time its
modifications are minor, our recent research indicates the malware is doing
some summer renovation in the code with the purpose of keeping it more elusive
and stealthy.
At this
time, there are two principal changes worth noting for Dyre: First, it has
moved its run key from the Windows Registry, turning it into a scheduled task.
The Registry still contains the instructions, but files run by the scheduler
can be found in a preset Windows Tasks folder, where they are fetched as
needed. By turning Dyre’s run into a scheduled task, it becomes more resilient
to deletion by the user or security products. But it also gives its developer
the flexibility to decide when to run and how often, or upon which type of OS
event to rerun the malware file.
The
second change is the randomization of Dyre’s configuration file name using a
naming algorithm, most likely in order to trick antivirus engines that may be
automatically finding and deleting it from infected PCs. The most likely reason
for this change in approach is to keep the configuration away from automated
security products that search for the file and then delete or quarantine it.
For this
change, Dyre’s developer prepared a mathematical manipulation designed to
create a different file name every time but a constant one for the same user.
To do that, Dyre uses the machine’s name and the user’s name as its main
parameters and concatenates them. It then takes that alphanumeric string and performs
a hashing operation on it (SHA-256), then processes the result into a new
string.
These
changes show that advanced and active malware like Dyre is an ever-moving
target that changes constantly to evade static security and maintain its
foothold in infected endpoints. The next section of this post describes some of
the technical details related to these changes.
Read on here
They use a random number technology system to create the game’s consequence for gamers. Evolution Gaming certainly one of the|is amongst the|is likely certainly one of the} leading live 배당 토토 casino game suppliers in the world. The company has been working in this market for virtually 20 years. After BitStarz, one other prominent online gaming site is Ignition. With the Curacao license, it has expanded its reach within the playing globe.
ReplyDelete