Dyre times for online banking customers

By Mat Powell, Security Researcher, HP DVLabs

 

Dyreza (or Dyre) is one of the newer banking trojans on the scene, targeting major online banking services – dire indeed for unprotected customers of those institutions. Dyre uses browser hooking – a technique that allows the trojan to intercept sensitive web traffic prior to encryption – to perform a man-in-the-middle (MITM) attack, circumventing SSL and harvesting banking credentials.

Delivered mainly through spam campaigns, the primary targets at this time appear to be customers of specific banks in the UK and US. Prior to their credentials being submitted to their financial institution, a copy of the information is sent to an attacker-controlled server in clear text. 

 

1.PNGOnce infected, the malware’s first line of business is to discover the host’s public-facing IP address.  To do this, it uses a protocol called Simple Traversal of UDP Through NAT (STUN) to obtain the public IP. 

 

Essentially, the malware sends a request to the gateway, the gateway forwards the request to a STUN server, and the STUN returns the public IP back to the host through the gateway.  In the figure to the right we see the request, followed by the response.

 
Dyre begins by hooking the user’s web browser and establishing persistence. 

During this time, the malware makes multiple HTTP GET requests to the C2 infrastructure to report system information such as hostname, operating system, and build level along with a unique hash-identifer to identify the host.

 

Public IP Address    209.XX.46.XX
Computer/Hostname    WIN-C036ANE81QT
Operating System     Win_7_SP1_64bit
OS Build             W617601
NAT Information      unknown%20NAT
Unique Identifier    7F2CB755DC3FDA2F5018CC3A5D162873

 

2.png 

Figure 2: HTTP GET request and unique identifier

 

For persistence, the malware moved itself to the Application Data folder as “googleupdaterr.exe”, along with an encrypted configuration file:

 

C:\Documents and Settings\mrpowell\Application Data\googleupdaterr.exe
C:\Documents and Settings\mrpowell\Application Data\userdata.dat

Figure 3: Application data folder and encrypted configuration file

 

And a new RUN key pointing to itself:

 

HKU\<snip>\CURRENTVERSION\RUN/ GoogleUpdate
C:\Documents and Settings\mrpowell\Application Data\googleupdaterr.exe

 

Figure 4: RUN key

 

It’s not until the users access one of four specific financial institutions that the malware goes to work. The organizations currently affected are:

  • Bank of America (North America)
  • Ulster Bank (Ireland)
  • Royal Bank of Scotland (Scotland)
  • National Westminster Bank (United Kingdom)

 

5.pngWe visited the Bank of America website and entered a bogus user ID to see what would happen when we clicked the Sign In button. 

The result?  Shenanigans.

 

 

 


Figure 5: Bank of America sign-in screen


As soon as we pressed the button, the malware intercepted our request prior to encryption and shipped it back to the C2 server in clear text.  You can see in the body my original request, including my cookies, session, and userid.

 

 6.png

 

Figure 6: Intercepted request in clear text

 

The C2 server then responds with a message that the post has been received.

 

 7.png

 Figure 7: C2 server response

At the end of the day, what can you do to protect yourslef against this threat?  Strong security policies revolving around least priviledge, SPAM filtering, and security awareness are great starts.  HP TippingPoint customers can enable Filter 16441 HTTP: Dyre Malware Communication Attempt created by the DVLabs team and shipped on July 1st,2014 on DV8575.  The mainline DV will be updated on July 29th and customers looking to proactively deploy the updated filter can request a custom CSW.

Join us at HP Protect, September 8-11, in Washington DC!

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.