By Mike Lennon on September 08, 2014
In an advisory sent to Salesforce Account administrators late Friday, the largest provider of cloud-based CRM solutions warned that its customers are being targeted by key-logging malware known as Dyre.
“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users,” the company warned.
Dyre, which is able to circumvent the SSL mechanism of web browsers, was first detailed by PhishMe in June 2014 after being spotted in an attack targeting online banking credentials.
Salesforce said it had not yet seen any evidence that any of its customers have been impacted by the malware.
“If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” Salesforce said.
Late last month, security researchers from Proofpoint discovered a large-scale phishing campaign targeting JPMorgan Chase customers that leveraged the RIG exploit kit and the Dyre Trojan. According to VirusTotal, the version of Dyre used in the attack was not detected by any of the leading antivirus providers at the time of the attack, Proofpoint said.
In addition to ensuring that anti-malware solutions are capable of detecting the Dyre malware, Salesforce.com recommends that customers leverage the following security capabilities of the Salesforce Platform to lockdown their applications:
SecurityWeek/ full article here/ http://www.securityweek.com/dyre-malware-targeting-salesforce-user-credentials
Hi,
Can anyone please confirm whether Webroot SecureAnywhere is able to detect the Dyre malware infection that is targeting Salesforce? Salesforce users have now been advised to contact their AV supplier to verify this.
Thanks,
Andy
Can anyone please confirm whether Webroot SecureAnywhere is able to detect the Dyre malware infection that is targeting Salesforce? Salesforce users have now been advised to contact their AV supplier to verify this.
Thanks,
Andy
A name of infection usually refers to a class or family of a particular infection. There can be hundreds of variants of a single name so its not just a matter of blocking one single infection. For example there are about a dozen variants of Zero Access each variant will have hundreds of slightly different versions. But to answer your question yes this particular trojan can be removed by Webroot.
Userlevel 7
The following article is a update on Dyre Malware
Researchers have uncovered a new variant of the Dyre (Dyreza) banking Trojan and have discovered that malware developers have added several new features to the threat.
Capabilities of the Dyre malware were first detailed in June by PhishMe, which described the threat as being a highly efficient piece of malware because it's capable of bypassing a Browser's SSL mechanism that protects users' information. Information submitted to SSL-protected websites is encrypted before being sent to the server to protect it against man-in-the-middle attacks. However, by hooking the Web browser process, the malware can see the data entered by the victim before it is encrypted.
According to Proofpoint, the latest variants of the threat are designed to communicate with their command and control (C&C) server via SSL on ports 443 and 4443. In order to do this, Dyre uses its own SSL certificate, which has been issued to an organization called Internet Widgits Pty Ltd.
Another new feature has been dubbed "browsersnapshot" which enables the cybercriminals to collect cookies, client-side certificates and private keys from the infected computer's Windows Certificate Store.
SecurityWeek/ full article here/ http://www.securityweek.com/dyre-malware-takes-inventory-software-infected-systems
(Dyre Malware Takes Inventory of Software on Infected Systems)
By Eduard Kovacs on September 26, 2014Researchers have uncovered a new variant of the Dyre (Dyreza) banking Trojan and have discovered that malware developers have added several new features to the threat.
Capabilities of the Dyre malware were first detailed in June by PhishMe, which described the threat as being a highly efficient piece of malware because it's capable of bypassing a Browser's SSL mechanism that protects users' information. Information submitted to SSL-protected websites is encrypted before being sent to the server to protect it against man-in-the-middle attacks. However, by hooking the Web browser process, the malware can see the data entered by the victim before it is encrypted.
According to Proofpoint, the latest variants of the threat are designed to communicate with their command and control (C&C) server via SSL on ports 443 and 4443. In order to do this, Dyre uses its own SSL certificate, which has been issued to an organization called Internet Widgits Pty Ltd.
Another new feature has been dubbed "browsersnapshot" which enables the cybercriminals to collect cookies, client-side certificates and private keys from the infected computer's Windows Certificate Store.
SecurityWeek/ full article here/ http://www.securityweek.com/dyre-malware-takes-inventory-software-infected-systems
Yes we catch this. It's another Zeus variant and our detection on Zeus is superb.
MD5 from article is 4c0dae9b5d407e30bf1c7b8a0d3109a5
We detect it immediately
MD5 from article is 4c0dae9b5d407e30bf1c7b8a0d3109a5
We detect it immediately
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.