Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Info] Banking Trojan Uses Simple Method to Evade White Hats’ Analysis
Dyre banking malware installs only on certain systems

[Image: Banking_Trojan_Uses_Simple_Method_to_Evade_White.jpg]

A new variant of Dyre banking Trojan has emerged with a simple, yet efficient trick that prevents malware researchers from analyzing it.

The malware is also known as Dyreza and was first spotted last year, in June. Since then, its prevalence increased, each new version improving its detection evasion tactics and enlarging the number of financial institutions on the target list.

For malware analysis, researchers rely on virtual machines (VM), software-based solutions that create an isolated space and mimic the hardware components of real-life systems.

To reduce resource usage, the VMs imitate computers with a single CPU core, and it is this default configuration that the latest variants of Dyre are exploiting to prevent inspection of their behavior on an infected computer.

Dyre avoids technologically outdated systems

Security researchers at Seculert found that after compromising a system, the banking Trojan checks how many cores are available. If more than one are detected, the malicious activity is halted immediately, as it is likely to be an analysis environment since today’s computers ship with multi-core processing power.

This behavior was recorded earlier in April by researchers at Sophos, who suggest cranking up the number of processing cores in the VM to at least two.

Aviv Raff, CTO of Seculert, said in a blog post last week that they witnessed Dyre’s evasion tactic on virtual machines from eight vendors, half of the products being non-commercial and publicly available, and the other half consisting of commercial solutions, configured with only one CPU core; they all failed to analyze the malware sample.

“Trying to put ourselves in the mindset of the cyber criminals, it is possible that they conducted their own research and determined that this one particular technique or check was the key to remaining undetected by sandboxing solutions. Subsequently, we have provided the details to the relevant security vendors,” Raff says.

User agents are now more inconspicuous

Dyre is often delivered by Upatre, a popular malware dropper that has seen some improvements of its own. One of them, noticed by Cisco, is changing the user agent used for communication with the command and control (C&C) server, which now looks legitimate and makes it more difficult to detect signs of malicious traffic exchange.

A similar tactic has been observed by Seculert in the new variants of Dyre in order trick signature-based malware detection products.

Source :

aq gk bisa bhs inggris nih oom :3 apa artinya buahaha
Sakbejo-bejane wong kang lali,isih bejo wong kang eling lan waspodo
Thanks God, I don't have money in bank. So, no need to worry about the trojan..
ini virus jenis baru yah om yg lolos adri deteksi anti virus
[Image: Fornesia.gif]
So ...eventually a thief will always found a way to infiltrate a system ..

It's just a matter of when and will .. lol .. . pleasee define safe ???? no one and nothing is safe now .
CrippledMoron | Walk Alone If You Want To Travel Fast, But Walk Together If You Want To Travel Far
recently, i also found many spyware, adware and malware in my notebook, i think it has been lasting for a year but i didnt aware.

spyware adware or malware are very dangerous to our personal information, bank account, etc. They generate a new variant everyday, so be careful guys
senoya, proud to be a member of ForNesia Family since Sep 2014. dan saya suka Kimcil.