Security Experts:

Dyre Trojan Uses Semi-Random File Names to Evade Detection

The creators of the notorious Dyre banking Trojan have started using some new techniques to make the malware more difficult to detect and remove.

According to researchers at IBM, the developers of Dyre have decided to modify the threat’s persistence mechanism and replace run keys in the Windows Registry with task scheduling.

“The Registry still contains the instructions, but files run by the scheduler can be found in a preset Windows Tasks folder, where they are fetched as needed. By turning Dyre’s run into a scheduled task, it becomes more resilient to deletion by the user or security products,” Or Safran, malware researcher at IBM Trusteer, explained in a blog post. “But it also gives its developer the flexibility to decide when to run and how often, or upon which type of OS event to rerun the malware file.”

Another change made by Dyre developers is related to the names given to configuration files. By giving these files semi-random names, the cybercriminals hope to prevent their creation from being detected by automated security solutions designed to search and remove the file.

The configuration file names generated by the malware are different for each infected device, but they are the same for a particular user. The filename is obtained by concatenating the device name with the username, and hashing the resulting string three times using SHA-256. Between each round of hashing, the malware adds one to the ASCII value of the byte (e.g. “C” becomes “D”). The resulting hash is processed into a new 16-byte string that represents the name of the configuration file.

In case the name of the infected machine cannot be obtained, the malware is designed to simply use the letter “C” as the device’s name, researchers said.

While this semi-random filename should make it more difficult to detect Dyre, experts noted that knowing the algorithm that is used to obtain the name can actually help detect the presence of the threat.

“These changes show that advanced and active malware like Dyre is an ever-moving target that changes constantly to evade static security and maintain its foothold in infected endpoints,” said Safran.

Dyre has evolved a great deal over the past period. In April, researchers at Seculert reported spotting a version of the malware that counted processor cores in an effort to determine if it had been running on a real machine or a sandbox.

Earlier this year, IBM revealed that Dyre was used by a cybercrime gang to steal more than $1 million from the corporate accounts of U.S. businesses. The attackers conducted a sophisticated operation that involved spear-phishing emails, stolen credentials, tech support scams, and distributed denial-of-service (DDoS) attacks.

Data gathered by IBM shows that the countries most targeted by Dyre over the past couple of months are the United States (27%), the United Kingdom (20%), Australia (7%) and Germany (7%).

Related Reading: Bartalex Malware Used to Deliver Dyre Banking Trojan to Enterprises

Related Reading: Dyre Malware Gang Targets Spanish Banks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.