Firms track Dyre’s rise to top financial malware threat

Dyre malware, which quickly emerged as one of the most prominent financial trojans following the Gameover Zeus botnet takedown last June, is still steadily making its mark in the underground market – and in victims' accounts – prompting researchers to deem the threat a malicious tool successfully, though likely temporarily, filling the void of Zeus.

On Tuesday, Symantec released a whitepaper (PDF) on Dyre and its impact on the financial fraud landscape, noting that the malware targets all three major browsers (Internet Explorer, Firefox, and Chrome), and that it has been configured to target customers at more than 1,000 banks and other firms around the globe. Users in the U.S. and UK have primarily been targeted by the trojan, Symantec added in a blog post covering its research.

Noting its credential-stealing capabilities, the firm said that the malware uses “several different types of man-in-the-browser (MITB) attacks against the victim's web browser to steal credentials."

"One MITB attack involves scanning every web page visited and checking it against a list of sites Dyre is pre-configured to attack,” Symantec explained. If matched, the victim is redirected to a malicious website, designed to look like a legitimate banking site, so fraudsters can snatch up information entered by users. Dyre is also known to use other tricks to capture users' banking data, including altering the display of legitimate websites, or displaying pages to victims notifying them that their computer “has not been recognized,” as a means of getting them to hand over sensitive information, including credit card data, PIN codes and their date of birth, the blog post explained.

Dyre was also described as a “gateway to other threats,” as it is often used to install other malware – Symantec has so far spotted seven malware families distributed through the Dyre botnet.

In a Wednesday interview with, Satnam Narang, senior security response manager at Symantec, said that, in general, “financial torjans are very lucrative and they do serve a primary purpose in the cybercrime underground economy.”

“Dyre has certainly emerged and become the primary fraud tool – it has filled that void" left by Zeus, he said.

In the midst of Dyre's emergence as a top financial malware threat, other firms have charted its infection path.

Earlier this month, Trend Micro found that there were nearly 9,000 Dyre infections in the first quarter of 2015, up from 4,000 infections seen in the previous quarter. At the time, 39 percent of infections were attributed to European users, while North American users accounted for another 38 percent of malware attacks.

Christopher Budd, global threat communications manager at Trend Micro, told in an interview that it's important to note the overall trend in online banking malware families increasing year over year.

“I see this as a spike within what has been a longer, broader trend,” he added.

While Dyre “is big” in the underground market now, researchers will continue to see certain malware families “go in and out of style,” Budd suggested.

“Online banking malware has been a growing problem globally for awhile. And it makes sense, because that's where the money is [as] more people do their banking online,” he explained.

In Wednesday email correspondence with, Pallav Khandar, senior CTU security researcher at Dell SecureWorks, took note of other major players in the financial malware scene. In an April report (PDF), Dell deemed Dyre to be one the most prominent banking trojans in 2014.

“Yes, the Dyre banking trojan (also known as Dyreza, Dyzap and Dyranges) is definitely still one of the top three banking trojans targeting financial institutions and other organizations across the globe,” he wrote. “The other two leading banking trojans are the Gozi trojan… uncovered by Dell SecureWorks in 2007, and Bugat (including the Bugat v5 and Geodo variants) trojan. We have seen a significant increase in activity from all three of these bank botnets since the takedown of the Gameover Zeus botnet in June 2014.”

In its blog post, Symantec noted that, often, Dyre has been spread though a popular downloader tool, Upatre, used previously by Gameover Zeus and CryptoLocker attackers.

“Dyre is mainly spread using spam emails. In most cases the emails masquerade as businesses documents, voicemail, or fax messages. If the victim clicks on an email's attachment, they are redirected to a malicious website which will install the Upatre downloader on their computer… [which] acts as a bridgehead on the victim's computer, collecting information about it, attempting to disable security software, and finally downloading and installing the Dyre trojan,” the Tuesday post said.

In his interview with, Symantec's Narang added that basic security measures, long touted by security pros, can help users and organizations avoid compromise in the face of the growing Dyre threat.

“[Start by] making sure you have some form of security software on your computer, and keeping your system and any third-party software patched,” Narang said. “And be mindful and skeptical of any unsolicited communications received through email,” he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.