IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Hackers' New Malware Infects West Pennsylvania Computers, Vexes FBI

Private industry experts said they believe hackers in Eastern Europe devised the malware, and they said it seems ready to blow up across computer networks.

Pittsburgh-based FBI cyber agents who brought down an international Russian hacking syndicate in May are now focusing on two new targets that have caused significant damage, the Tribune-Review has learned.

Like the Gameover Zeus malware that agents shut down, another malware called Dyre allows hackers to steal online bank passwords and other identification by infecting users' computers to make it seem they are communicating with their financial institution.

Dyre has hit victims across Western Pennsylvania. Private industry experts told the Trib that they believe hackers in Eastern Europe devised the malware, and they said it seems ready to blow up across computer networks.

J. Keith Mularski, the FBI's cyber supervisory agent, said he “won't confirm or deny” whether an investigation is under way.

“I can say we are actively assessing the situation, especially here in Pittsburgh, to see how these financial botnets are affecting the businesses in our district,” he said. “There are large spam campaigns that are going on.”

FBI agents are working with private-sector companies to assess Dyre — also known as Dyreza — and a second, similar malware called Cridex, which has primarily targeted European victims. Mularski said it's “too premature” to say whether the agency might attempt a large-scale counterattack, such as the one it conducted against the Russian-based network behind Gameover Zeus.

Both Dyre and Cridex have some advantages over the Zeus variants of malware, said Peter Kruse, a security specialist at CSIS Security Group, a computer security company in Denmark. The malwares allow hackers to listen in on the communication between the victim and his online bank to generate a real-time attack during a financial transaction.

“Dyreza and Cridex are definitely causing a lot of losses for a lot of online banking systems,” Kruse told the Trib. “They are very aggressive, motivated and … complex types of malware.”

In cyber attacks, Dyre, Cridex and other malware operate like missiles, allowing hackers to deliver different kinds of payloads, said Tal Klein, vice president of strategy at Adallom, a computer security company in Palo Alto, Calif. Researchers there analyzed a variant of Dyre this summer.

Gameover Zeus worried investigators because its specific payload seemed to be directed by an organized syndicate bent on widespread theft. It infected more than a half-million computers around the world as criminals stole more than $100 million in the United States alone.

The FBI defeated Gameover Zeus by teaming up with private cyber security companies and university experts to poison the hackers' computers. Agents formed an international coalition to shut down servers and search computers used by the cyber attackers.

US-CERT, a cyber response team at the Department of Homeland Security, put out an alert this week warning companies about the Dyre malware, saying it “has targeted a wide variety of recipients.” The attacks use various tactics but focus on tricking victims into opening email attachments and downloading malicious software, it said.

A Homeland Security spokesman declined to talk about Dyre and the attacks.

“The reason that US-CERT is starting to get paranoid about Dyre is because the behavior is starting to look a lot like that syndicate behavior,” Klein said. “... By syndicate, it could be a nation-state. It could be the Mafia. We don't really know necessarily who. It's not necessarily the same people as the Zeus people, but we're starting to see that it's an organized effort.”

FBI agents don't know whether the hackers are the same, Mularski said, but believe it's originating in Eastern Europe.

Evgeniy Mikhailovich Bogachev, who was identified as the mastermind behind the Gameover Zeus attacks, remains on the FBI's cyber Most Wanted list and is presumed to be in Russia. A Justice Department civil complaint filed at the same time identified four other hackers by their online handles, and a separate criminal case out of Nebraska named eight conspirators in Russia, Ukraine and the United Kingdom.

Ronnie Tokazowski, a senior researcher at PhishMe, a computer security company in Chantilly, Va., discovered Dyre in the early summer when a company employee received an email with the malware hidden in an attached zip file. Tokazowski reverse-engineered the malware and realized that it looked different from anything else researchers had seen.

As the first to find the new attack, Tokazowski could have named it anything but went with Dyre, a word that appeared within the code and that seemed to be the name hackers were using. Since Tokazowski went public, other cyber security companies have referred to the malware by other names like Dyreza.

The hackers responded in subsequent iterations of the attack by inserting words into the code saying, “I'm Dyre,” confirming the name, and “Slava Ukraini,” or “Glory to Ukraine.” Investigators don't know whether that means the attack came out of Ukraine or from Russian hackers trying to make it appear Ukrainian in origin, but it seems linked to the fighting going on between the countries, Tokazowski said.

Dyre typically spreads by getting victims to click on an email attachment that includes an infected zip file. Despite repeated warnings, users continue to confound and exasperate computer security experts by opening files from people they do not know.

“What we've been telling customers is: ‘Try not to click zip files inside of emails,' ” Tokazowski said. “Across the whole spectrum, the easiest way to help protect against these (attacks) is to train your users not to click inside of a zip file. … I think it really falls down to just users aren't trained to be able to tell the difference.”

The FBI recommends that companies using online banking should have a terminal just for financial transactions, separate from computers they use to surf the Internet or check email, Mularski said.

In a twist, hackers might actually be seeking the easiest targets with the Dyre attacks, Klein said. People who click on the infected email also are the most likely to have outdated security measures and weak banking authentications, he said.

“The cyber war is very similar to the war on drugs or the war on crime,” Klein said. “There's never a silver bullet. You're just constantly trying to get back to the status quo. You're trying to get back to normal.”

©2014 The Pittsburgh Tribune-Review (Greensburg, Pa.)