The banking malware Dyre has adopted an evasive domain generation algorithm in a bid to avoid being shut down, according to the networking firm Cisco.
The algorithms work by assigning a random-looking domain name for a set period of time, allowing the virus to communicate with a command and control (C&C) server whilst lowering the chance of the domain being blacklisted.
Alex Chiu and Angel Villegas, analysts from Cisco’s threat research group Talos, said: "Previously, versions of Dyre used hardcoded URLs to communicate with the command and control servers.
"However, the latest versions employ a domain generation algorithm to allow attackers to better anonymise their infrastructure and evade detection."
In the past Dyre has been used to steal user credentials and banking data, targeting financial groups such as Citigroup and the Bank of America.
Talos claims to have reverse engineered the algorithm, allowing them to anticipate changes to it a maintain a block on communications from the C&C server.
"By doing this, we can ensure that customers are protected across the entire attack continuum using a defence-in-depth approach should the attacker bypass other defences," the researchers said.
"In the event that a user winds up compromised by Dyre, they are still protected from leaking sensitive information because URL blacklisting will prevent communication to the malicious domains."
