Thanks again to US-Cert for producing a perfect example of The Malware Reporting Standard output!
Another teaching moment to demonstrate how financial organizations can use Malware Management to check their systems to the possible exposure of a Phishing campaign targeting Banking folks with the Dyre Malware.
US-Cert points out exactly what us defenders, incident responders, and yes, the IT public needs to know about the Dyre malware. Read this notice! What do you see are the take aways?
1. Affects Windows based systems
2. Dyre is using the Windows directory for the file drop, Not the AppData user structure, but worse if it gains a foothold. In this case dropping an executable in \Windows is odd... and random named too. How many programs do you know that use a random funky name.exe like this?
Ninja Tip - There are only a few executables normally found in \Windows... Explorer, HelpPane, HH, notepad, regedit, splwow64, sttray64, twunk_16, twunk_32, winhlp32, write.exe and maybe some AV client files. There are only two twain Dll's as well, and maybe a support files for your AV or other agents. Any additional .EXE or .DLL found here has a high probability of being malware!
File Auditing enabled on this directory for Create files and Create folders will allow you to look for EventID 4663 to detect a NEW file drop!
3. Dyre installs a service called "Google Update Service". Clever little malwarians... Googles Update Service is actually called "gpudate and gpudatem" with a generic description of 'Google Update Service'. Sneaky, but easy to spot.
4. Remember your 'Windows Logging Cheat Sheet' and look for EventID 7045 for a New Service Installed and you catch service based malware like Dyre!
5. The keys are in the Services Key in the registry. You can manually look for them as enabling auditing under this key requires setting it for all subkeys and then you filtering out of your logs all the noisy keys to be effective, not hard, but it takes a little time.
There you have it, another educational moment on how to detect malware