Dyre Summer Renovation: Randomized Config File Names Keep Antivirus Engines Guessing

This post was co-authored with IBM X-Force researchers Or Safran, Lior Keshet, and Tomer Agayev.

---

How many malware builds would you guess Dyre compiled and spammed out recently? IBM Security X-Force researchers have counted no less than nine different malware builds with actual code changes spread by this highly active crimeware project — and that’s in the past week alone.

Dyre Is in Constant Evolution

The Dyre Trojan is an ever-evolving advanced threat. While most of the time its modifications are minor, our recent research indicates the malware is doing some summer renovation in the code with the purpose of keeping it more elusive and stealthy.

At this time, there are two principal changes worth noting for Dyre: First, it has moved its run key from the Windows Registry, turning it into a scheduled task. The Registry still contains the instructions, but files run by the scheduler can be found in a preset Windows Tasks folder, where they are fetched as needed. By turning Dyre’s run into a scheduled task, it becomes more resilient to deletion by the user or security products. But it also gives its developer the flexibility to decide when to run and how often, or upon which type of OS event to rerun the malware file.

The second change is the randomization of Dyre’s configuration file name using a naming algorithm, most likely in order to trick antivirus engines that may be automatically finding and deleting it from infected PCs. The most likely reason for this change in approach is to keep the configuration away from automated security products that search for the file and then delete or quarantine it.

For this change, Dyre’s developer prepared a mathematical manipulation designed to create a different file name every time but a constant one for the same user. To do that, Dyre uses the machine’s name and the user’s name as its main parameters and concatenates them. It then takes that alphanumeric string and performs a hashing operation on it (SHA-256), then processes the result into a new string.

These changes show that advanced and active malware like Dyre is an ever-moving target that changes constantly to evade static security and maintain its foothold in infected endpoints. The next section of this post describes some of the technical details related to these changes.

Read additional technical details in the complete blog post here.