Renewed Dyre Commands

Dyre uses a windows pipe for inter-process communication, passing commands from the main module it injects into the “windows explorer’ process to other processes. The commands are passed both to browsers launched by the user and stealthy worker-processes launched by the malware itself.

In the new sample, most of the commands discussed in previous F5 research have been replaced and a few new ones have been added, along with new functionality.

The following is a list of new commands and their functions:

• 0xF1″lli” – Get the botid name
• srvv – Get the C&C IP
• dpsr – Get the data POST server IP
• grop – Get the botnet name
• seli – Get the self-IP
• gcrc – Get the fake pages configuration
• gcrp – Get the server-side webinjects configuration
• pngd – Get the account information stolen by the pony module
• sexe – Among other jobs, it copies the droppee path and its content both to Dyre’s special structure and the configuration file on disk. It also tries to get the anti-antivirus module from the C&C.
• gsxe – Get the droppee path

Additional Protection Layers

Here is a list of new features designed to add protection from removal and detection:

Pipe Name

The pipe’s name is no longer hardcoded (e.g. “\\.\pipe\3obdw5e5w4”). It is now based on a hash of the computer name and windows OS version.