Dyre Trojan almost dead after 'takedown' by the Russians

Dyre has gone dark
Dyre has gone dark

Symantec confirmed yesterday that all spam campaigns spreading Dyre stopped suddenly on 18 November and have not re-started since.

Infection rates involving Dyre – which has plagued the customers of over 1000 mainly UK and US banks and other companies – have dropped dramatically since November, from over 9000 a month to under 600.

The likely cause is a raid by Russian law enforcement agencies last November on the Moscow offices of a film distribution and production company called 25th Floor.

News of this takedown only emerged on Saturday, when Reuters reported that several sources had confirmed the raid happened – but that neither the Russian Government nor 25th Floor would answer questions about it. Reuters stated that it could not prove a direct link between the raid and Dyre's shutdown.

But Symantec has stepped in with telemetry that clearly shows the Dyre crime gang have all but “ceased activity”.

In a 8 February blog, its senior information developer Dick O'Brien said: “The group controlling Dyre appears to have suffered a major blow following a Russian law enforcement operation in November. Telemetry has confirmed a virtual cessation of the group's activities. They had been dispatching between one and 15 separate email campaigns per day. Dyre-related campaigns halted abruptly on November 18 and none have been observed since.”

Dyre was one of the world's most prolific banking botnets, used to steal tens of millions of pounds. It targeted Windows users, snooping on their online banking sessions and stealing their credentials.

Dyre is configured to attack the customers of over 1000 organisations, mainly banks and electronic payments providers, and mainly in the US and UK. Targets include NatWest, Barclays, HSBC, Lloyd's Bank and Santander, as well as Citibank, JP Morgan Chase and PayPal.

Cyber-experts have welcomed its shutdown which, if confirmed, reflects a sea-change in the Russian authorities helping to police global cyber-criminals based on their home soil.

In the past, Russia had a reputation for only acting against cyber-gangs who targeted Russian citizens themselves, and takedowns inside Russia have been rarely reported – one notable exception being the 2013 arrest of ‘Paunch', author of the notorious BlackHole malware toolkit.

Alan Woodward, visiting Professor at Surrey University and an adviser to Europol, the EU's law enforcement agency, told SCMagazineUK.com: “It's deeply encouraging to see the Russians have come down on these criminals. In case they needed to be reminded, it's the Russians saying ‘look we're not a safe haven for you to sit here and commit crimes'.

“Cross-border co-operation between the Russian and Europeans is getting better. This action is the result of perhaps a change of heart that happened some time ago. The Russians aren't daft. They've had incidences where the price of the rouble has been moved by some cyber-attack, so it's absolutely worth them helping.”

Dick O'Brien at Symantec told SC: "While this isn't the first time Russian authorities have dismantled cyber-crime operations, we believe that this takedown is significant since Dyre was believed to be one of the two biggest banking Trojans currently in circulation (alongside Dridex) and this appears to have taken the group offline completely."

This is in contrast to an October 2015 takedown operation against Dridex. Symantec stats show the number of Dridex infections has not dropped since.

Woodward said this might be because the Dyre action hit the criminals' infrastructure, as well as the gang themselves.

“You can arrest the gang but some of the infrastructure might stay in place. The trick is getting to people like the bulletproof hosters. In the past some of them have based themselves in Russia, and this shows the Russians aren't going to stand for that either.

“It's not just the criminals, it's their technical infrastructure that needs to be taken down, and that's what I think you've seen happen with the Russians. Dridex wasn't done in quite the same way.”

We asked Europol for its view on the takedown, but an official said: “We cannot comment on the operational activities of the Russian national authorities.”

According to Reuters, Kaspersky Lab helped in the Russians' clampdown on Dyre. We asked Kaspersky about this, but it said: “It's a general policy that Kaspersky Lab does not comment on any law enforcement investigations.”

In its blog, Symantec said Dyre was spread via the Upatre downloader, which had also been used to distribute at least seven other malware families. O'Brien said the Dyre crime gang were among the main users of Upatre and there has been a “huge fall” in Upatre infections since November, down from more than 250,000 a month to under 20,000.

In a bizarre twist, Reuters said 25th Floor is currently producing a cyber-crime thriller called ‘Botnet', based on the real-life case of a multi-million dollar scam.