top of page

Dyre Malware Picks Up Where Zeus Left Off

Since the takedown of the Zeus botnet in June 2014 fraudsters have moved to a new malware of choice, known as Dyre, which also seeks to obtain online banking credentials by mimicking hundreds of different financial institutions worldwide, including 70 in the United States. The malware can infect IE, Chrome and Firefox users, and infections continue to grow, particularly in the U.S. and Europe.

As more consumers continue to bank online fraudsters have increased efforts to steal online banking credentials, either to use directly or to sell to other fraudsters on the black market. Banks take measures to protect client account credentials from intrusion and data breaches, so often fraudsters target the consumers with malware in efforts to get this information instead. For years fraudsters used variations of the infamous Zeus malware, which had infected over 3.6 million PCs before being shut down by the FBI. Since it’s takedown, however, fraudsters have found a new malware kit to fill the gap. Known as Dyre, this malware infects machines in attempt to obtain banking login information, and has several nasty tricks to do so.

Security firm Symantec first detected the Dyre malware in June 2014 following the shutdown of the Gameover Zeus Botnet. Detections of the Dyre malware spiked two months later in August and has continued at increased levels since. According to Trend Micro there were 9,000 Dyre infections in Q1 2015, up from 4,000 in Q4 2014. Over 39 percent of these infections came from users in Europe while 38 percent occurred in North America during Q1 2015.

The Dyre malware is primarily spread via spam emails containing a malicious attachment. Often these are made to look like fax or voicemail messages, but take the user to download a reconnaissance downloader tool known as Updatre, which was also used with the Gameover Zeus malware. This application attempts to disable security software before downloading and installing the Dyre malware without the user’s knowledge. Once infected the machine may see other forms of malware installed, Symantec identified seven malware families that have been distributed through the Dyre botnet.

Once installed the main objective of the Dyre malware is to obtain online banking login information. The program will scan web history to look for online banking sites the malware is pre-configured to target and attack. More than 1,000 banks and other companies can be targeted with Man-in-the-Browser (MitB) attacks such that if the infected machine visits the site they are redirected to a lookalike pharming site. The consumer may then be redirected back to the legitimate site, or may be taken to a screen that says the device is not recognized and more information, such as a PIN or date of birth, need to be collected.

One of the reasons the Dyre malware has grown so quickly is because of its global applicability. The malware is targets consumers using different online banking services all over the world, including 70 financial institutions in the United States, 67 in the United Kingdom, 36 in Australia, 33 in Germany and 29 in France. It also targets each of the 3 major web browsers: Internet Explorer, Mozilla Firefox and Google Chrome.

Fraudsters will continue to target consumers, the weakest link, to try and gain access to their financial accounts. It is relatively easy for fraudsters to buy malware kits online to target consumers and steal their credentials, and Dyre has emerged as the top choice now that Zeus has been taken down.

For more information:


bottom of page