Firms track Dyre's rise to top financial malware threat

News by Danielle Walker

In the year following Gameover Zeus takedown efforts, Dyre has steadily emerged as the financial trojan of choice among cyber-criminals.

Dyre malware, which quickly emerged as one of the most prominent financial trojans following the Gameover Zeus botnet takedown last June, is still steadily making its mark in the underground market – and in victims' accounts – prompting researchers to deem the threat a malicious tool successfully, though likely temporarily, filling the void of Zeus.

On Tuesday, Symantec released a whitepaper (PDF) on Dyre and its impact on the financial fraud landscape, noting that the malware targets all three major browsers (Internet Explorer, Firefox, and Chrome), and that it has been configured to target customers at more than 1,000 banks and other firms around the globe. Users in the US and UK have primarily been targeted by the trojan, Symantec added in a blog post covering its research.

Noting its credential-stealing capabilities, the firm said that the malware uses “several different types of man-in-the-browser (MITB) attacks against the victim's web browser to steal credentials."

"One MITB attack involves scanning every web page visited and checking it against a list of sites Dyre is pre-configured to attack,” Symantec explained. If matched, the victim is redirected to a malicious website, designed to look like a legitimate banking site, so fraudsters can snatch up information entered by users. Dyre is also known to use other tricks to capture users' banking data, including altering the display of legitimate websites, or displaying pages to victims notifying them that their computer “has not been recognised,” as a means of getting them to hand over sensitive information, including credit card data, PIN codes and their date of birth, the blog post explained.

Dyre was also described as a “gateway to other threats,” as it is often used to install other malware – Symantec has so far spotted seven malware families distributed through the Dyre botnet.

In a Wednesday interview with in the US, Satnam Narang, senior security response manager at Symantec, said that, in general, “financial trojans are very lucrative and they do serve a primary purpose in the cyber-crime underground economy.”

“Dyre has certainly emerged and become the primary fraud tool – it has filled that void" left by Zeus, he said.

In the midst of Dyre's emergence as a top financial malware threat, other firms have charted its infection path.

Earlier this month, Trend Micro found that there were nearly 9,000 Dyre infections in the first quarter of 2015, up from 4,000 infections seen in the previous quarter. At the time, 39 percent of infections were attributed to European users, while North American users accounted for another 38 percent of malware attacks.

Christopher Budd, global threat communications manager at Trend Micro, told in an interview that it's important to note the overall trend in online banking malware families increasing year over year.

“I see this as a spike within what has been a longer, broader trend,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews