Dyre Banking Trojan Avoids Sandbox Detection

Discussion in 'malware problems & news' started by Minimalist, May 1, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,060
    https://threatpost.com/dyre-banking-trojan-jumps-out-of-sandbox
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Looking at the IBM report [PDF], it's evident that with proper security in place, this trojan would never get onto disk in the first place:

    https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/Dyre_Wolf_MSS_Threat_Report.pdf

    ----
    rich
     
    Last edited: May 1, 2015
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    More hyperbolic statements, looks like another plain old hiding from sandbox analysis trick to me (that HMP.A takes advantage of).
     
  4. stvs

    stvs Registered Member

    Joined:
    Mar 17, 2013
    Posts:
    25
    Location:
    greece
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    This is why running with just Sandboxie alone is to me a bad idea. I may have what some would describe as a paranoia set up, it unless I absolutely wanted to let this by it wouldn't make it.
     
  6. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    105
    Location:
    Palestine
    From the article:
    I think this article focusing on sandboxes that helps AVs/AMs to detect trojans/viruses , and not on how this trojan break sandboxes and excute on the real system , also this trojan seems to be not working at all while in AV/AM sandboxes ..

    Really I don't get the link between this article and its headline !

    Finally , I think I remember reading something about this trick in the past "checking the number of cores to DETECT if it is running under sandbox or not" ,
     
    Last edited: May 2, 2015
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,060
    Yes, headline is not in line with article. If you hoover over tab you get other description: "Dyre Banking Trojan Avoids Sandbox Detection", which is IMO more accurate.

    upload_2015-5-2_20-6-39.png
    Mods can change thread title to make it more accurate.
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,940
    Location:
    U.S.A.
    Done!
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I agree, it should always be combined with a behavior blocker, because only a BB/HIPS will notify you of suspicious behavior, no matter if malware is running inside or outside the sandbox. On the other hand, from what I've read, most banking trojans aren't even able to run or work correctly inside the sandbox, because of the limited rights inside the virtual container.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,060
  11. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,060
    It only means that malware is aware of some sandboxes and won't execute or will change it's behavior if one is detected. This way solutions that use this sandboxes will have more problems detecting malware while using their sandbox to analyze it.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    You're question has already been answered in this thread, it can't bypass a sandbox like Sandboxie.

    EDIT: I just saw Minimalist's post.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Trusteer Rapport assuming you can live with the performance impact and privacy issues is only at maximum effectiveness if your bank has its corresponding software installed on their servers. In that case, a secure tunnel is established between your PC and the bank server. If the software is not installed on the bank server, Rapport's protection is on par with most of the AV's online banking protection.

    Sandboxie isn't going to protect you against a MITM or even a MITB attack.
     
  15. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    ".......VXers have cooked up Windows 10 and Edge support for the nasty Dyre or Dyreza banking trojan.

    The banking bomb has ripped untold fortunes from victims and passed them into the hands of its authors. In at least one instance alone IBM says more than one million dollars was plundered from an organisation.

    At present it has infected some 80,000 machines with that number expected to rise. It can also target Mozilla Firefox, Google Chrome, and of course Internet Explorer.........."

    http://www.theregister.co.uk/2015/11/19/edgy_online_shoppers_face_dyre_christmas/
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Dyre will inject a .dll into the browser. However, by that time you are infected. What starts off the whole processes is a .dll injection into svchost.exe. So that is the process you want to protect against .dll injection.

    Best way to stop Dyre is to prevent it's malicious service creation in this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\*. Note from the below link I posted how it creates its service as a GoogleUpdate service.

    Good technical analysis of Dyre here: http://www.symantec.com/content/en/...response/whitepapers/dyre-emerging-threat.pdf
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    But I wonder if I understood it correctly, because I didn't even know that it was possible to protect your own process against DLL injection? If it's true then Edge will become immune to a lot of banking trojans, since most if not all use code injection to hijack the browser. I suppose "Module Code Integrity" is a new feature in Win 10? They could easily add this feature to other essential Windows processes.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I wouldn't hold by breath on this ever happening for all Windows processes. It is something that should have been part of Windows OSes from the start. Something that was always part of Unix.

    they upgraded the rendering engine that powers the browser to “EdgeHTML 13,” something that brings kernel-level protection against code injection. Going forward, the mechanism should block DLL injections on the browser, unless they’re components signed by Microsoft, or Windows Hardware Quality Lab (WHQL) Cowan claims.

    By enforcing code integrity within the kernel, as opposed to in the process, the company claims it will make it so ad injectors can’t turn off the integrity check, something a hacker could disable otherwise.

    Ref.: https://threatpost.com/microsoft-cracks-down-on-toolbars-unsigned-dlls-with-edge-update/115410/

    You can read about mshtml.dll which is the rendering engine IE uses here: https://msdn.microsoft.com/en-us/library/bb508515(v=vs.85).aspx .

    Also would not be surprised if a bypass for EdgeHTML doesn't appear in the near future since it is .dll based. From what I can glean from literature on Module Code Integrity, Edge uses WIN 10 to copy the process startup .dlls to the kernel for protection. I haven't seen anything to date that would prevent memory based .dll injection into Edge. -EDIT- If this .dll was signed, I assume it would also be copied to the kernel w/o issue. Remember our "zombie" process discussion. Startup a suspended browser instance, memory inject our signed malicious .dll, and then start the modified browser instance.

    Finally, there is the issue what impact MCI will have on existing security software that presently inserts its own hooks into the browser.
     
    Last edited: Nov 22, 2015
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    I think there is a big thing that is being missed here. The article gave it away. Emails with attachments. Leads to a couple of things.

    1. Change the dumb default that blocks extensions. I see many files in email zip files, that are exe's of some form but with a word icon. So they look like a word doc until you see the extension

    2. Educate employees about what the extensions are and how to detect these obviously fake emails and attachments.

    3. Create a work environment where employees are encouraged to challenge a suspicious email from the boss rather then being afraid to do so.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes in theory it does sound good, but nothing is fool proof, I would always still rely on HIPS, to block code injection. I hope they will publicize more info about this new feature, and I can't imagine that only Edge will implement this feature, this is something that all browsers could use.
     
  22. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    446
    Location:
    U.S. Citizen
    What can stop this Trojan. Name a few security software, please!
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This malware is delivered via e-mail, so start there. Install an e-mail client of your choice. Most will disable all active content by default but double check that setting. Also make sure e-mail attachments are not opened by default. I only allow e-mail to be displayed in text mode.

    Next install a security product that will scan all incoming e-mail. Assuming you will receive all incoming e-mail encrypted from your ISP provider, that presents an issue. Your security solution has to have the ability to scan encrypted e-mail. The only way it can do that is by installing its own root cert. to do so. Presently products that can scan encrypted communications are Eset, Kapersky, Avast, and BitDefender. Note that depending on the product selected, you might have to manually activate SSL protocol scanning. Just make sure the product selected supports the e-mail client you use. Many do not support the Thunderbird e-mail client. Eset does but you may have to manually import Eset's root CA cert. into the corresponding root CA in Thunderbird.

    Finally, never ever open any type of compressed format e-mail attachment useless you fully trust the origin of the e-mail.
     
  24. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    446
    Location:
    U.S. Citizen
    @itman,

    Nice read and explaining about this Trojan! Also thank you for the details! :thumb:

    Kind regards,
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    And if this trojan does manage to run, a tool like HMPA should at least warn you about it. Zemana, SpyShelter are also designed to interfere with it. And don't forget about AV's of course.
     
Loading...