Researchers Found a New Banker Trojan that Bypasses SSL Mechanism

Securityweek.com reported on 16th June, 2014 stating that security researchers of security firms PhishMe and CSIS (Center for Strategic and International Studies) have discovered a new strain of malware being used in a campaign to bypass SSL (Secure Sockets Layer) and collect bank credentials.

The Trojan, known as Dyre or Dyreza among researchers, uses a technique where browser hooks to cut off traffic flowing between the victim's system and the targeted web site.

The malware comes to inboxes of users through spam messages and many of them look to have come from financial institutions.

The malware gets installed on the machine as soon as the user opens the ZIP file attachment in a spam message and then the malware establishes communication with a command-and-control server.

Researchers of CSIS in Denmark discovered a couple of C2 servers and found that one of the servers had an integrated money-mule panel for numerous accounts based in Latvia. The main objective of the malware is to steal users' e-banking details and other financial information and many banking trojans do it in different ways as creators of Dyreza decided to use browser hooking technique to defeat SSL.

When users visit any of the targeted financial sites and log in, the malware intercepted the data on the website and directly send it to attackers.

Crn.com published news on 16th June, 2014 quoting Peter Kruse, Head of eCrime Unit and CTO for Security Group of CSIS as saying "cybercriminals use a MiTM (man-in-the-middle) approach to read anything including SSL traffic in clear text. We believe this is a family of new banker Trojan and not coming from Zeus source code."

Softpedia.com reported on 16th June, 2014 quoting Ronnie Tokazowski, a Senior Researcher of PhishMe, as saying "Dyre/Dyreza looks for queries to Bank of America, Citigroup and the Royal Bank of Scotland."

However, researchers of CSIS discovered that the malware targeted Ulsterbank and Natwest also.

Presently, many antivirus products are available to secure the machines from infection by Dyre/Dyreza Trojan. This is in spite of all efforts made by the author to prevent its detection and analysis.

» SPAMfighter News - 6/23/2014