It's been a year now since the Dyre malware family was first profiled, and there is no sign of infection rates slowing down. In fact, reports would seem to suggest just the opposite with infections up from 4,000 at the end of last year to 9,000 at the start of this. The lion's share being split pretty evenly between European and North American users.

So I was interested to spot this Tweet from Ronnie T @iHeartMalware who is actually Ronnie Tokazowski, a senior researcher at PhishMe, which declares: "I'm tired of dumping #Dyre configurations by hand. So I wrote a python script to do it. Enjoy folks!"

dyredumper.jpg

Ronnie explains "It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre. To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe)."

Here's the script for all you Python fans to have a look at.

dyredumper2.jpg

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Would be sweet if there was volatility#2, that contains scripts per malware family

Edited 1 Year Ago by Slavi

Interesting. It can be improved by using the standard modules argparse for command line parsing and subprocess to get output and error from called commands.

Hello Davey,

Thanks for picking up the article, and I really appreciate it behing hosted! Hopefully I can answer a few of the questions as they come in.

Slavi,

On the side of Volatility, I do know that there is a plugin for Volitility which can be found here: http://cybermashup.com/2015/02/11/volatility-plugin-for-dyre/

I wanted to go this route as ProcExp is one of the things I typically use, and while Volatility is awesome, it takes a good bit of time to get the dump and process it. However I could see this working very well with a Cuckoo box that's automating Volatility!

Gribouillis,

I agree 100% on using argparse and subprocess, and these are two I normally use. I just wanted to get something quick and dirty out there for folks, so hopefully you forgive me on the hack job! (And lack of PEP8 and poor use of os.system()) ;)

--Ronnie
@iHeartMalware

this is why I moved off windows...

hearing about stuff like this P's me off knowing how easy it is to steal private data, and how far idiots will go to do it mainly just to get a quick buck.

is it possible to detect these attacks and redirect them back on the attacker??
(the bugs-bunny trick where he bends the shotgun around) :P

EDIT:
@Ronnie: I'm talking about the Dyre devs jsyk, not you, please don't take it as such ;)

Edited 1 Year Ago by Tcll

The article starter has earned a lot of community kudos, and such articles offer a bounty for quality replies.