Dyre Malware Developers Add Code to Elude Detection by Analysis Tools

As more companies deploy sandbox technology to catch advanced malware, many attackers are adding code to their programs to detect if the attack is running in a virtual machine.

Dyre Malware 2

The criminals behind a well-known tool used to steal data and bank account information have upgraded the code to add a basic, but effective, function to evade malware analysis systems, according to a report issued by security firm Seculert on May 1.

The report found that the malware, known as Dyre, checks for the number of processing cores on the system on which it's running. While almost all modern computers have more than one processing core, the virtual machines, or sandboxes that malware researchers use to detect and analyze malicious programs typically only run on a single core to be more efficient. The code is simple—and easily defeated—but attackers will have the upper hand until defenders can modify their programs, Aviv Raff, chief technology officer for Seculert, told eWEEK.

“They really didn’t need to do much, and it is simple, three or four lines of code,” he said. “It is very easy and effective, and, to fix the issues, the makers of sandbox environments, will need time.”

The Dyre malware is currently at the top of the heap of money-stealing malware. While technically an information-stealing program, Dyre is also the foundation of one of the top banking botnets, according to a recent report by managed security firm Dell Secureworks.

The malware has infected at least 12,000 targets, the report stated. The group behind Dyre, which has also been dubbed Dyre Wolf by security firms, focuses on corporate accounting departments for bigger payouts and has stolen more than $500,000, according to IBM Security.

The malware is typically delivered via a spam botnet known as Cutwail, which originally used links to download malware stored in cloud services. Now, Cutwail spam will install a downloader, known as Upatre, which then installs Dyre. Dyre uses Web injects—snippets of code that can insert Web objects into pages—to steal banking information from victims.

While counting the number of processing cores being used by the operating system is simple method for detecting a sandboxed environment, it is effective. In April 2005, Intel released the first dual-core processor, the Pentium Processor Extreme Edition 840, which enabled increased processing power without dramatically increasing energy consumption. Today, Intel’s mainstream processors have two or four cores, and almost all computer systems use multiple cores.

Once defenders have modified their analysis methods -- possibly taking a penalty to efficiency -- attackers can move to other techniques to detect virtual environments that could indicate their code is running in a sandbox. Common techniques for detecting a virtual environment include looking for specific process and module names, using long instructions, and identifying the backdoor communications methods used to send messages to the host operating system.

The increasing inclusion of such techniques shows that while more companies are using sandboxes to test potentially malicious files, other techniques need to be adopted as well, Seculert’s Raff said.

“Just having a sandbox alone with today’s threats is not enough,” he said. “You have to have additional compensating controls.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...