Trojan Evolves to Avoid Detection

Wednesday, August 26, 2015 @ 02:08 PM gHale

Like any successful product line, it has to evolve to keep up with the times and the Dyre banking Trojan is no different.

The malware’s developers started using new techniques to make it more difficult to detect and remove, said researchers at IBM.

Chinese VPN Used for APT: Report
Hacker Tool Hides in Plain Sight
Row Hammer Exploitable via JavaScript
Security Appliance Holes Fixed

Dyre developers modified the threat’s persistence mechanism and replaced run keys in the Windows Registry with task scheduling.

“The Registry still contains the instructions, but files run by the scheduler can be found in a preset Windows Tasks folder, where they are fetched as needed,” said Or Safran, malware researcher at IBM Trusteer, in a blog post. “By turning Dyre’s run into a scheduled task, it becomes more resilient to deletion by the user or security products. But it also gives its developer the flexibility to decide when to run and how often, or upon which type of OS event to rerun the malware file.”

“The second change is the randomization of Dyre’s configuration file name using a naming algorithm, most likely in order to trick antivirus engines that may be automatically finding and deleting it from infected PCs,” Safran said. “The most likely reason for this change in approach is to keep the configuration away from automated security products that search for the file and then delete or quarantine it.”

The configuration file names generated by the malware are different for each infected device, but they are the same for a particular user. The filename ends up obtained by concatenating the device name with the username, and hashing the resulting string three times using SHA-256. Between each round of hashing, the malware adds one to the ASCII value of the byte (e.g. “C” becomes “D”). The resulting hash ends up processed into a new 16-byte string that represents the name of the configuration file.

In case it is not possible to obtain the name of the infected machine, the malware just uses the letter “C” as the device’s name, researchers said.

While this semi-random filename should make it more difficult to detect Dyre, researchers said knowing the algorithm used to obtain the name can actually help detect the presence of the threat.

“These changes show that advanced and active malware like Dyre is an ever-moving target that changes constantly to evade static security and maintain its foothold in infected endpoints,” Safran said.