Wednesday, July 1, 2015

Dyre Controller Servers

I found some interesting connections being made to some remote servers, which appear to be a Dyre botnet. The malware attempts to make a connection to a remote server using a CONNECT request method, followed by a GET with a directory structure containing the host name of the infected machine, the version of Windows the machine is running, and the serial number.

As with any IP address, please be careful when blacklisting as they may be legitimate. Many of the IP's that I looked into were listed on several blacklists, so please do your research. Below is a quick and dirty list of the IP addresses, enjoy!

Remote IP Addresses - CONNECT:
The connections made to the below IP addresses were made with the CONNECT request method.

Remote IP Addresses - GET:
The connections made to the below IP addresses were made with the GET request method. These appear to be the controller servers.

HTTP URI Directory Structure:
The URI directory is a long value that contains unique information pertaining to the infected host. However, there are a few directories that are consistent. Keep in mind that these will only show in the URI when a GET request method has been made.

  • /1106us11/
  • /5/spk/
Thank you for reading, I hope this information is useful!

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.