Dyre Trojan Bypasses Detection, Assessment by Sandboxing
Seculert the security company has said that its researchers have just stumbled upon the banker Trojan Dyre in one fresh version which applies a certain cunning, yet simple methodology for preventing analysis by bypassing sandboxes, published securityweek.com dated May 1, 2015.
Explaining Dyre’s evasive methodology, Seculert states that the malware is equipped with a certain utility which examines how many processor cores are actively working on the contaminated PC; in case two or more are spotted, Dyre instantly stops its malicious activity.
Previously during April Sophos, another security company, recorded the above behavior. The company suggests that the total processing cores be segmented in two parts inside a VM.
CTO Aviv Raff at Seculert stated his company seeing the bypassing trick of Dyre on VMs (virtual machines) through 8 security agencies, with one-half products being easily available without any charges, while remaining half containing chargeable solutions, equipped with just a single CPU core. It was witnessed that all the products were unable to detect and study the malware item. Softpedia.com reported this, May 4, 2015.
It maybe said that the cyber-crooks probably carried out a research of their own while finding out the chief nature of the above technique in getting past sandboxing solutions undetected. Thereafter Seculert had supplied the security agencies all the details, Raff said.
The study paper of Seculert shows one more change in Dyre, that of being one fresh user-agent.
It further states that altering user-agents has long been known as a method for eschewing identification by signature-based products. Moreover, certain small alterations were done for Dyre to behave differently which too was a technique for bypassing detection by signature-based solutions, the study adds. Threatpost.com reported this, May 1, 2015.
Raff explains that Dyre’s efficacy in eluding sandboxes again shows how sandboxing without any additional tools isn’t an all-comprehensive security approach. Instead, for spotting evasive malware, it’s necessary that device learning as well as outbound traffic analysis be included to ensure the security solution is complete in tackling the modern worsening threat scenario; the CTO concluded.