The Dyre banking trojan, which lead to stealing of over a million from the corporate banks in April has got a new update which renders it undetectatble by anti-sandboxing techniques.
The malware checks how many processor cores the machine has and if it has only one, it terminates. Since sandboxes are configured with only one processor with one core as a way to save resources, this is an effective evasion technique – most of the computers now come with multiple cores.
Secualert’s check for Dyre’s evasion of analysis with four commercially available sandboxes revealed that the malware has been successful in fooling the systems.
In addition Dyre has switched user agents to avoid detection by signature-based systems. The Upatre downloader which is working in conjunction with Dyre also has new changes to avoid signature-based detection. Upatre now uses two user agents and different download communication pathway. The communication path naming convention is obscure and not based on identifiable characteristics.
These progress in malware technologies reveal that sandboxing alone cannot be an effective way to deal with vulnerabilities. The ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time.