WyzGuys Tech Talk

Dyre Wolf is one version in the family of banking Trojans that started with Zeus and NeverQuest, and now includes Dridex, SpyEye, Shylock,Shifu, Gozi, and Tinba.  Banking Trojans are designed to sit unnoticed on your computer, and to capture your banking and financial login credentials and send them to criminals who use the information to empty your accounts.  They are among the worst exploits that can happen to you, followed closely by crypto-ransomware, and the compromise of your email account.

It appears that the botnet and command and control servers that were running Dyre have been idle since the November 19th arrest of a cyber-gang by police in Russia.  Dell Secure Works reported that all Dyre activity had dropped off an remains unresponsive.

This opens the door for other gangs running other botnets distributing banking Trojans to step into the vacuum.  Security professionals and researchers are keeping an eye on the Gozi, Drydex, and Tinba exploits, as they are extensively deployed.

According to Trend Micro, “The GOZI banking Trojan is a spyware that monitors traffic. With its screen capture and keylogging function, it can obtain login credentials stored in browsers and mail applications. GOZI uses rootkit component to hide related processes, files, and registry information.”

“TINBA was derived from the combination of the words “Tiny” and “Banker”. Users get infected via Blackhole exploit kit, and are aimed primarily at users in Turkey. Using web injects, it steals user login information from websites. TINBA has also been linked to other activities such as money mules, pornographic sites, shady Web hosting, and other information-stealing malware.”

“DRIDEX is an online banking malware that steals personal information and banking credentials through HTML injections. Designed to target customers of financial and banking institutions, DRIDEX variants arrive onto the users’ systems via spammed messages in emails, which come with malicious attachments—a Microsoft Word document that contains a malicious macro code.  Once executed, the malware monitors online banking-related activities with configuration files that contain a list of banks based in Europe, Australia, UK, and the US. It then performs information theft through form-grabbing, screenshots, and site injections.”

Banking Trojan exploits almost always start with a phishing email, and usually has an attachment that, when opened, loads the remote access component.  The RAT phones home, and downloads and installs the remaining malware components.  Inbox vigilance is your best defense.  Never click on a link in an email or open an attachment without verifying the source of the email first.

Using a dedicated non-Windows computer for banking is even better.  A Chromebook is perfect, since no software can be installed on this system.  Everything runs on the Chrome browser, which is all you need to bank online.  A Live CD boot disk is fully secure, too.  Linux is another options, although not fully immune.    Under no circumstances should you ever read email on your dedicated banking system.  Following these simple rules will keep you out of the clutches of banking Trojans.

More information

• Trend Micro – History of Banking Trojans
• Dark Reading – Dyre Goes Quiet
• Dark Reading – New Shifu Banking Trojan