Botnet

Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure  and monetization capacity. Progress has been noticed in two differents  fronts:
  • Expand the botnet geographical area:  The binary spread is done through spam campaigns with malicious attachments. At first these were limited to English-speaking countries, but have expanded their reach. 
  • Incorporation of new banks: DYRE configuration is done via the usual file that lists the banks where the Trojan must act. As has been expanding the area of influence of the botnet, the list of entities has also experienced an increase, as shown in the following chart


    On this growing dynamic was just a matter of time that Spain, so far outside the campaign, entered the list. The latest version of the configuration file was distributed a few days ago; it can be seen as at least five Spanish banks and others in Colombia, Chile and Venezuela have been included for the first time.
      The countries currently targeted by criminals are reflected in this map (Click to see the animated GIF):


    While its behavior is similar to well-known Zeus, DYRE presents some interesting approaches to the fraud process deserve to be analyzed in an upcoming post 🙂

    S21sec eCrime


    DYRE trojan targets Spain

    Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure  and monetization capacity. Progress has been noticed…

    Leer más

    Dridex Learns New Trick: P2P over HTTP

    After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec's…

    Leer más

    Source Seattle 2011

    Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an…

    Leer más

    Tatanga: a new banking trojan with MitB functions

    Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from…

    Leer más

    ZeuS spreading via Facebook

    ZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of course, the best-known social networking site couldn't be out of this. Last week we could see some Facebook messages like the…

    Leer más

    New ZeuS binary

    The evolution continues. Some days ago a new ZeuS binary appeared with the version number 1.3.0.26. This new development is an attempt to improve the stealth techniques used to date, as stated in one of the TODO files found some…

    Leer más

    Detecting ZeuS

    We have been talking some time ago about our dear friend, almost one more colleague: ZeuS. It is a malware with more than 3 years of life which continues changing and evolving to hide itself better and making the fraud…

    Leer más