Protecting Against the Dyre Trojan: Don’t Bring a Knife to a Gunfight
Since its first appearance in June 2014, the Dyre Trojan has reportedly been used in a succession of phishing campaigns across the globe, including attacks against major brand names such as the Royal Bank of Scotland, Citigroup, JPMorgan Chase and Bank of America. An analysis of Dyre’s configuration file shows that the malware’s target list now includes over 100 banks. With new banks being targeted on a weekly basis, the Trojan has created industrywide concern.
At the heart of the Trojan’s successful man-in-the-middle (MitM) attacks is a technique called “browser hooking.” This technique allows the malware operators to route unsuspecting customers to fake banking websites, where they are tricked into surrendering their login credentials. The stolen credentials are then used to conduct an account takeover (ATO) from a spoofed device, through a proxy or directly from the infected PC by the use of remote access tools.
Attempts to combat Dyre attacks with traditional fraud controls such as antivirus, authentication, statistical risk engines and device IDs have proven to be ineffective.
Why Is Combating Dyre So Challenging?
The simple answer is that those controls were put in place to stop a previous generation of threats and were never designed to combat today’s sophisticated malware attacks.
Authentication was never designed for a situation in which the criminal can forward authentication requests to the user who is browsing a fake website. Device identification did not take into account the latest generation of device-spoofing techniques. Antivirus software, which relies on identifying known malware signatures, was never designed to detect a fast-evolving Trojan such as Dyre, which sometimes releases a new binary code version every three days.
Traditional risk engines based on analysis of session request and transactions are especially challenged by the malware modus operandi because they simply lack data on the full fraud life cycle. Critical parts of the Trojan’s attack occur on the victim’s PC and on a fake website, making them completely invisible to risk engines. The data that risk engines do obtain is inaccurate or heavily compromised by the Trojan. For example, session data, which is used by risk engines, can be easily altered or spoofed to mimic requests sent from the victim’s browser. Users are tricked into answering authentication challenges through the fake website. As a result, risk engines often miss the actual fraud attacks.
But Wait, It Gets Worse!
To make matters worse, Dyre’s developers are constantly adding more fraud capabilities to the malware.
According to an analysis conducted by IBM Security Trusteer researcher Lior Keshet, this malware has incrementally evolved to include capabilities for faster monetization of stolen credentials, data collection and remote access tools.
The monetization tools shorten the time from the moment a user unsuspectingly surrenders his or her credentials to the fake website to when the ATO attack is complete. In fact, in many cases analyzed by IBM Security Trusteer, the account takeover attempt was so fast that the victim was still navigating the fake website after the criminal completed a funds transfer to a mule account.
Recently added data collection capabilities allow the Trojan to gather information regarding the infected PC’s browser, cookies, certificates and OS attributes. These attributes can be used to spoof the device used in the ATO by making it appear to be the victim’s device.
Remote access tools allow the criminal to take full control over the infected PC and perform the ATO attack directly from the user’s actual device. Device identification solutions are rendered useless against this type of attack.
In fact, Dyre’s sophistication has grown by such an extent that its configuration file has now ballooned from less than 20 lines of code in early releases to more than 1,000 in the latest.
How to Adequately Defend Yourself
The term “to bring a knife to a gunfight” was made famous by the movie “The Untouchables,” which depicts law enforcement’s fight against notorious gangster Al Capone.
Attempts to make a case against Capone for his outright crimes always failed. For instance, witnesses against him had a tendency to “disappear.” The authorities took an innovative approach for the time and charged Capone with tax evasion. Capone had no way to explain the source of his huge income and was subsequently sent to prison.
While Dyre is adept at circumventing traditional detection methods, it can be combated with a fresh approach that collects data on the full life cycle of the fraud event, including the very techniques that Dyre uses to mask its activity. More specifically, Dyre attacks can best be mitigated at two points in the fraud life cycle: during the initial infection or when the criminal attempts to use the stolen credentials to take over the victim’s account.
Stopping Dyre at the Endpoint
Dedicated endpoint protection against financial malware can identify unique attributes of the malware and prevent its installation process from completing. As an added benefit, while repelling the attack, endpoint protection will also alert the bank’s security department to the fact that it was targeted, providing valuable advanced notice.
Stopping Dyre During the ATO Attempt
Since not all PC users install endpoint protection, banks still need an accurate way to detect Dyre attacks. The key to accurately detecting this malware during the ATO attempt lies in gathering evidence on the full life cycle of the fraud event, including activities performed before the user logs in and evidence of the infection.
Sensors collecting this data must create a consistent TCP-level fingerprint that can correlate the various stages of the attack from infection to the ATO attempt. These sensors must also be able to penetrate Dyre’s various masking techniques, such as spoofing, the use of proxy and remote access tools. Once the data has been collected and analyzed, a clear and definitive picture of the fraud can emerge, allowing for accurate, real-time detection.
Trusteer Pinpoint Criminal Detection, a solution that deploys advanced sensors to collect evidence on the full life cycle of fraud, has successfully detected multiple Dyre attacks with little to no false positives.
The final chapter of the fight against Dyre and MitM attacks is far from written. Criminals looking to mimic Dyre’s success will undoubtedly release a chain of copycat malware. Additionally, the prospect of Dyre being offered as fraud-as-a-service is also daunting since it will allow the malware to proliferate well beyond its current scope. For those tasked with protecting their firms from Dyre, the lesson from “The Untouchables” holds true: Don’t bring a knife to a gunfight. Instead, bring the right kind of tools for the job.