Indian security experts at Cert-In (Computer Emergency Response Team, India) has wrned that a malware called Dyreza (also called Dyre) is on prowl and is targeting banking institutions.
Indian security experts at Cert-In (Computer Emergency Response Team, India) has wrned that a malware called Dyreza (also called Dyre) is on prowl and is targeting banking institutions.
According to the Cert-In this is a Trojan mainly targeting customers of well known financial institutions that are running Microsoft Windows Operating System. The virus propagates via scam messages that look like one received from the financial institution containing .zip of .pdf file as attachment to the mail.
According to the Cyber Security Intelligence Services (CSIS) the latest variant of Dyreza (also called Dyre) malware has targeted several banks in Switzerland. The trojan according to this report arrived as spam e-mails with a PPT attachment that exploit a vulnerability CVE-2014-4114, also known as Windows OLE Remote Code Execution Vulnerability.
How the virus works?
On opening (extracting) the mail attachment it copies itself on the computer of the user thereby infecting it (copies itself under C:\Windows\[RandomName].exe). It then, steals important information like online bank credentials, captures keystrokes and shares them with the command and control server. According to CSIS the Command and Control Servers of Dyreza are hosted at OVH in France.
The malware also knows how to bypass SSL protection using browser hooking and hence is very dangerous.
The malware installs itself as a service Google Update Service (googleupdate) and hence gets executed each time the system is rebooted.
How to recognize such message?
According to CSIS the Trojan comes as spam email posing as one from financial institution (for example bank). It might carry subject like these –
Unpaid invoic
New bank details
Invoice #[7 random numbers]
New bank details
Invoice #[7 random numbers]
The attachment could be something like - Attachment: Invoice621785.pdf
Note that “spelling errors in the subject line are a characteristic of this campaign,” advices US-Cert, giving you an idea about how to spot the wrong message.
Is there a patch?
Since the virus, according to Cert-In uses an Adobe Reader Vulnerability (CVE-2013-2729) it has released a patch to plug this security loophole, download the patch here.
What more can you do?
Cert-In also advises to make changes in the email settings so that files with extensions like .vbs, .bat, .exe, .pif and .scr are automatically filtered.
Delete any suspicious-looking emails you receive, especially if they sport links and/or attachments. Don’t even open them, just delete them, says TrendMicro.
In case you suspect an infection, immediately change your online banking account passwords. Remebre to use a different computer and uninfected computer for this. Also alert your bank on any fraudulent transactions taking place.
Image source: Cert-In via CSIS and Phishme