Dyre.L a malware tries to register itself as Google Update Service to avoid detection.


The Dell SonicWall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.L actively spreading in the wild. We recently released GAV: Dyre.E which is uses I2P (Invisible Internet Project) for C&C communications and also uses self-signed SSL certificate for C&C communications. The new version of Dyre tries to register itself as Google Update Service to avoid detection by Systems administrators.

Infection Cycle:

Md5: 3497d8bcdc25950d63b6add8f8e5f40a

The Malware uses the following icons:

The Malware adds the following files to the system:

  • C:WINDOWStSfxwnnGqbYvrba.exe [Random Service Name ]

  • %systemroot%system32configsystemprofileApplication Datanw9vbe8cb5.dll [ Data Log ]

The Malware adds the following keys to the Windows registry [As a Service] to ensure persistence upon reboot:

The file tSfxwnnGqbYvrba.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.

Dyre tries to enumerate files on the target system, after Malware retrieve list for exe files it saves on % systemroot%system32configsystemprofileApplication Datanw9vbe8cb5.dll file and start to encrypt it with its own format, here is an example:

Here is decrypted information grabbed by malware:

Command and Control (C&C) Traffic

Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. The Malware uses self- signed SSL certificate for C&C communications.

The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Dyre.L ( Trojan )

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.