Dyre Malware Developers Add Code to Elude Detection by Analysis Tools
As more companies deploy sandbox technology to catch advanced malware, many attackers are adding code to their programs to detect if the attack is running in a virtual machine.The criminals behind a well-known tool used to steal data and bank account information have upgraded the code to add a basic, but effective, function to evade malware analysis systems, according to a report issued by security firm Seculert on May 1. The report found that the malware, known as Dyre, checks for the number of processing cores on the system on which it's running. While almost all modern computers have more than one processing core, the virtual machines, or sandboxes that malware researchers use to detect and analyze malicious programs typically only run on a single core to be more efficient. The code is simple—and easily defeated—but attackers will have the upper hand until defenders can modify their programs, Aviv Raff, chief technology officer for Seculert, told eWEEK. “They really didn’t need to do much, and it is simple, three or four lines of code,” he said. “It is very easy and effective, and, to fix the issues, the makers of sandbox environments, will need time.” The Dyre malware is currently at the top of the heap of money-stealing malware. While technically an information-stealing program, Dyre is also the foundation of one of the top banking botnets, according to a recent report by managed security firm Dell Secureworks.
The malware has infected at least 12,000 targets, the report stated. The group behind Dyre, which has also been dubbed Dyre Wolf by security firms, focuses on corporate accounting departments for bigger payouts and has stolen more than $500,000, according to IBM Security.