Dyre Summer Renovation: Randomized Config File Names Keep Antivirus Engines Guessing
This
post was co-authored with IBM X-Force researchers Or Safran, Lior Keshet, and
Tomer Agayev.
---
How many
malware builds would you guess Dyre compiled and spammed out recently? IBM
Security X-Force researchers have counted no less than nine different malware
builds with actual code changes spread by this highly active crimeware project
— and that’s in the past week alone.
Dyre Is in Constant Evolution
The Dyre
Trojan is an ever-evolving advanced threat. While most of the time its
modifications are minor, our recent research indicates the malware is doing
some summer renovation in the code with the purpose of keeping it more elusive
and stealthy.
At this
time, there are two principal changes worth noting for Dyre: First, it has
moved its run key from the Windows Registry, turning it into a scheduled task.
The Registry still contains the instructions, but files run by the scheduler
can be found in a preset Windows Tasks folder, where they are fetched as
needed. By turning Dyre’s run into a scheduled task, it becomes more resilient
to deletion by the user or security products. But it also gives its developer
the flexibility to decide when to run and how often, or upon which type of OS
event to rerun the malware file.
The
second change is the randomization of Dyre’s configuration file name using a
naming algorithm, most likely in order to trick antivirus engines that may be
automatically finding and deleting it from infected PCs. The most likely reason
for this change in approach is to keep the configuration away from automated
security products that search for the file and then delete or quarantine it.
For this
change, Dyre’s developer prepared a mathematical manipulation designed to
create a different file name every time but a constant one for the same user.
To do that, Dyre uses the machine’s name and the user’s name as its main
parameters and concatenates them. It then takes that alphanumeric string and
performs a hashing operation on it (SHA-256), then processes the result into a
new string.
These
changes show that advanced and active malware like Dyre is an ever-moving
target that changes constantly to evade static security and maintain its
foothold in infected endpoints. The next section of this post describes some of
the technical details related to these changes.
Read
additional technical details in the complete blog post here.
Comments
Post a Comment