"As it happens more and more often with financial malware, Dyreza is also a 'Crime as a Service network' that anyone can buy into," the web security firm observes. "To make it even more appealing – and, consequently, financially viable – the makers have also predefined a group of targets in the code configuration file. The targets are typically online banking websites. All cyber criminals have to do is buy the malware and deploy it. This is how low-tech attackers can target more unsuspecting victims and harvest their financial information to get into their bank accounts, while malware creators reap the financial benefits of massively selling the malware kits."Most Dyreza infections begin with a "spray and pray" campaign, a spamming operation that as noted by International Business Times targets random users and attempts to install the malware using the Upatre downloader. Once it has been installed on a machine, the malware steals users' banking information and enlists their computers into a botnet. Some 80,000 machines have all ready been infected, but that number is expected to grow in the coming weeks. Indeed, with Black Friday and the holiday season just around the corner, Heimdal anticipates that users who are busy and prone to multitasking will choose convenience and sales over safety, which could lead to additional Dyreza infections. At the same time, Dyreza has created two new modules – “aa32” (x86) for 32 bit or “aa64” (x64) for 64-bit – that attackers can use to terminate a number of processes associated with endpoint security software. These toolsets help the malware to achieve a high distribution rate among potential victims and a low detection score among anti-virus providers, thereby assisting the trojan's creators to prolong their presence on an infected machine. Since the publication of Heimdal's post, Microsoft has updated its information on Dyreza in a manner that corroborates the security firm's findings, as reported by ZDNet. The tech giant is currently working to harden Edge against web attacks and malware. In the meantime, it is alerting users to two telltale signs that might indicate a Dyreza infection. These are:
- The presence of two files: "%APPDATA%\local\[random aplha numeric characters].exe" and/or "%APPDATA%\local\[random aplha numeric characters].exe".
- Sudden prompts by their firewall to allow higher access privileges to programs such as "explorer.exe" and "svchost.exe".