Jump to content
misterblister

Would MB have stopped our Dyre infection?

Recommended Posts

Last week one of our users opened a DOC attached to a phishing email, then enabled editing (and macros), and the DOC executed malicious code that disabled AVG's update engine (and notifications, apparently), then downloaded a varation of the Dyware malware which steals banking credentials, etc, which went undetected for three days.

 

I am wondering whether MalwareBytes for business would have stopped this? For one thing, the DOC attachment which is now seven days old is still only detected by 3/57 A/V programs according to VirusTotal. So I doubt MB would have detected it at the time but I am wondering how it might have handled the execution of the code?

 

In hindsight I am thinking the most useful thing for me in this scenario to catch this sooner would be some sort of network traffic analyzer which would have detected all the strange traffic to Easter European IP addresses that were exchanged with this user's computer. But from what I understand the solutions that do that are five-figures and we are just a small business.

 

Your insights appreciated. MB is not often mentioned in the small business arena when people talk about hardening their A/V but I have an open mind. Thanks.

 

 

Share this post


Link to post
Share on other sites

"For one thing, the DOC attachment which is now seven days old is still only detected by 3/57 A/V programs according to VirusTotal."

Are you sure?....did you click the rescan button for a fresh result.You may post link to scan result here

Anyway Malwarebytes does not detect doc files

Share this post


Link to post
Share on other sites

I'd like you to submit the DOC file so I can take a look at the VBA Macro and obtain the payload.  At the very minimum, to get the Dyre/Dyreza trojan submitted to Malwarebytes so Malwarebytes' Anti-Malware ( MBAM ) can detect the payload.

 

Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats.

 

Malware hunters please read
Purpose of this forum
Malware Hunters group

 

The file is to be submitted in; Newest Malware Threats
 
Upload Directions:

  • Take the files and put them in a ZIP or RAR archive file.
  • Create a new post.
  • Choose "More Reply Options" on the bottom Right of the Web Form
  • Now choose "Attach Files" on the bottom Left of the Web Form.
  • Browse and find your ZIP or RAR file.
  • Choose "Add Reply" and there's your post with your attachment(s)

As for prevention... 

If there is no signature then MBAM won't protect a system. ( in this case )

However, and we'd have to check with Pedro ( pbust ), I believe that Malwarebytes Anti-Exploit ( MBAE ) may block the download of the payload and thus protect the system.

Share this post


Link to post
Share on other sites

Hi misterblister.

 

Malwarebytes Anti-Exploit (MBAE) for Business does protect against malicious Word, Excel and PowerPoint macros, as well as against other types of application behavior exploits. It is a generic protection that blocks the Word macro in case it tries to do something malicious such as downloading and executing an EXE from the Internet.

 

To install MBAE, just contact your Malwarebytes sales person and ask them to upgrade you to Malwarebytes Endpoint Security which includes both MBAM and MBAE.

Share this post


Link to post
Share on other sites

Interesting. I am tempted to setup a sandbox and test the latest MBE using this malware, before MBA updates their engine. I am very curious to know whether it would have been stopped, keeping in mind this malware may also have been coded to disable MBAE.

Share this post


Link to post
Share on other sites

misterblister:

 

Is this the original, unmodified, DOC received as an attachment  ?

 

I see no VBA Macros in this file and the file size is about right for the embedded graphic.

Share this post


Link to post
Share on other sites

I'm pretty confident that is the file. It was the only email the user got that had an attachment and the date time of the email is very close to the creation date/time of the downloaded EXE that was cleaned.

 

I even opened it on their infected PC with the Internet unplugged and it definitely attempted to do something after enabling editing/macros but obviously could not get/run its payload.

 

I can verify this tomorrow but is it possible the payload is disabled? Is it possible there was some other mechanism in the file, perhaps linking/loading something externally from within the DOC? Keep in mind the user opened this with Word 2013, which was set to trust and run all macros, so once they clicked "enable editing" (which Word 2013 requires on attachments opened from Outlook 2013, it was enabled to do everything it wanted to.

Share this post


Link to post
Share on other sites

No, even if the payload was no longer available I would still see the script or process used to effect the payload.

 

If you can find the email, see if you can get the raw email with the attachment,  In the meantime I'll continue with what you posted.  It is possible there is a new "trick" being employed.  Over the last several months, I have seen them pull out many tricks out of their malicious actor's bag.

Share this post


Link to post
Share on other sites

I downloaded the file from VirusTotal and we tested it in a few environments. There is no VBA macro in this file, even though the content of the document is clearly typical of these types of attacks. It looks like someone stripped the macro out of the document as it is not malicious anymore.

 

If you can track down the original file and send it to us or to VirusTotal we can check it out again.

 

Regardless, MBAE would protect you against these Word Macro downloaders generically and without relying on signatures.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.