05-05-2015, 02:59 AM
Dyre banking malware installs only on certain systems
A new variant of Dyre banking Trojan has emerged with a simple, yet efficient trick that prevents malware researchers from analyzing it.
The malware is also known as Dyreza and was first spotted last year, in June. Since then, its prevalence increased, each new version improving its detection evasion tactics and enlarging the number of financial institutions on the target list.
For malware analysis, researchers rely on virtual machines (VM), software-based solutions that create an isolated space and mimic the hardware components of real-life systems.
To reduce resource usage, the VMs imitate computers with a single CPU core, and it is this default configuration that the latest variants of Dyre are exploiting to prevent inspection of their behavior on an infected computer.
Dyre avoids technologically outdated systems
Security researchers at Seculert found that after compromising a system, the banking Trojan checks how many cores are available. If more than one are detected, the malicious activity is halted immediately, as it is likely to be an analysis environment since today’s computers ship with multi-core processing power.
This behavior was recorded earlier in April by researchers at Sophos, who suggest cranking up the number of processing cores in the VM to at least two.
Aviv Raff, CTO of Seculert, said in a blog post last week that they witnessed Dyre’s evasion tactic on virtual machines from eight vendors, half of the products being non-commercial and publicly available, and the other half consisting of commercial solutions, configured with only one CPU core; they all failed to analyze the malware sample.
“Trying to put ourselves in the mindset of the cyber criminals, it is possible that they conducted their own research and determined that this one particular technique or check was the key to remaining undetected by sandboxing solutions. Subsequently, we have provided the details to the relevant security vendors,” Raff says.
User agents are now more inconspicuous
Dyre is often delivered by Upatre, a popular malware dropper that has seen some improvements of its own. One of them, noticed by Cisco, is changing the user agent used for communication with the command and control (C&C) server, which now looks legitimate and makes it more difficult to detect signs of malicious traffic exchange.
A similar tactic has been observed by Seculert in the new variants of Dyre in order trick signature-based malware detection products.