Update : Compromised AirOS Routers being used by #Dyre

Updated to include comments from Ubiquti.

Dyre/Dyreza has gotten some attention this week in relation to targeting banks, after tracking Dridex and other associated banking Trojans I've researched parts of the command and control infrastructure that is abused by Dyre/Dyreza. 

Dridex uses compromised sites for payload delivery, Upatre & Emotet do similar things, Dyre/Dyreza are using compromised routers.

I analysed Dyre/Dyreza samples upon infection are seeking to communicate with with a lot of compromised AirOS router's within the botnet.


Not only AirOS is affected by Dyre/Dyreza.

RouterOS MicroTiK

Recently, i recall reading on Krebs blog, that Lizard squads DDOS platform ran via using backdoors on compromised routers. If this vector is using brutceforcing of potentially weak usernames and passwords in the same way Lizard squad did, or via a backdoor that ships with the routers for firmware upgrades remains to be seen.

Update 8/7/15

Comments from Brian Krebs here

Ubiquti gave the following statement

We did disable remote management by default, and took a lot of flack from our users, so we reverted it.

You should inform the ISP about this router, so they can contact the user.
— http://community.ubnt.com/t5/Installation-Troubleshooting/Attack-Malware/m-p/1289182#M83622

Admitting it previously shipped with RM disabled and then enabling it as a result of feedback seems strange. The threat it poses far outweighs the benefits of enabling it.