Security Research
Showing results for 
Search instead for 
Do you mean 

Dyre times for online banking customers

Angela_Gunn ‎07-22-2014 09:44 AM - edited ‎07-22-2014 10:36 AM

By Mat Powell, Security Researcher, HP DVLabs


Dyreza (or Dyre) is one of the newer banking trojans on the scene, targeting major online banking services – dire indeed for unprotected customers of those institutions. Dyre uses browser hooking – a technique that allows the trojan to intercept sensitive web traffic prior to encryption – to perform a man-in-the-middle (MITM) attack, circumventing SSL and harvesting banking credentials.

Delivered mainly through spam campaigns, the primary targets at this time appear to be customers of specific banks in the UK and US. Prior to their credentials being submitted to their financial institution, a copy of the information is sent to an attacker-controlled server in clear text. 


1.PNGOnce infected, the malware’s first line of business is to discover the host’s public-facing IP address.  To do this, it uses a protocol called Simple Traversal of UDP Through NAT (STUN) to obtain the public IP. 


Essentially, the malware sends a request to the gateway, the gateway forwards the request to a STUN server, and the STUN returns the public IP back to the host through the gateway.  In the figure to the right we see the request, followed by the response.

Dyre begins by hooking the user’s web browser and establishing persistence. 

During this time, the malware makes multiple HTTP GET requests to the C2 infrastructure to report system information such as hostname, operating system, and build level along with a unique hash-identifer to identify the host.


Public IP Address    209.XX.46.XX
Computer/Hostname    WIN-C036ANE81QT
Operating System     Win_7_SP1_64bit
OS Build             W617601
NAT Information      unknown%20NAT
Unique Identifier    7F2CB755DC3FDA2F5018CC3A5D162873



Figure 2: HTTP GET request and unique identifier


For persistence, the malware moved itself to the Application Data folder as “googleupdaterr.exe”, along with an encrypted configuration file:


C:\Documents and Settings\mrpowell\Application Data\googleupdaterr.exe
C:\Documents and Settings\mrpowell\Application Data\userdata.dat

Figure 3: Application data folder and encrypted configuration file


And a new RUN key pointing to itself:


C:\Documents and Settings\mrpowell\Application Data\googleupdaterr.exe


Figure 4: RUN key


It’s not until the users access one of four specific financial institutions that the malware goes to work. The organizations currently affected are:

  • Bank of America (North America)
  • Ulster Bank (Ireland)
  • Royal Bank of Scotland (Scotland)
  • National Westminster Bank (United Kingdom)


5.pngWe visited the Bank of America website and entered a bogus user ID to see what would happen when we clicked the Sign In button. 

The result?  Shenanigans.




Figure 5: Bank of America sign-in screen

As soon as we pressed the button, the malware intercepted our request prior to encryption and shipped it back to the C2 server in clear text.  You can see in the body my original request, including my cookies, session, and userid.




Figure 6: Intercepted request in clear text


The C2 server then responds with a message that the post has been received.



 Figure 7: C2 server response

At the end of the day, what can you do to protect yourslef against this threat?  Strong security policies revolving around least priviledge, SPAM filtering, and security awareness are great starts.  HP TippingPoint customers can enable Filter 16441 HTTP: Dyre Malware Communication Attempt created by the DVLabs team and shipped on July 1st,2014 on DV8575.  The mainline DV will be updated on July 29th and customers looking to proactively deploy the updated filter can request a custom CSW.

Join us at HP Protect, September 8-11, in Washington DC!

About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all