New Variant of Shylock Banking Malware Spread via Skype


Userlevel 7
Badge +56
Monday, January 21, 2013Contributed By:
Pierluigi Paganini

http://www.infosecisland.com/uploads/avatar/9a824a3f55b26adad5431f6715dbec2e.jpg(Translated from the original Italian)
The news is very concerning, a new variant of the banking malware known as Shylock has been detected, it includes the capability to spread over Skype.
Shylock is an old acquaintance for security community, the malware was detected for first time in 2011 by experts from Trustee firm, it is used to steal banking credentials from its victims and is considered one of the most insidious cyber threat for banking.
The first version of the malware demonstrated improved methodology for injecting code into browser to remote control the victim and an improved evasion technique to prevent detection by common antivirus software.
Curiously, the origin of the name for the malware, Shylock is the money lender in Shakespeare's opera The Merchant of Venice.
As many other malware (e.g. Zeus) it has been update in the time, in many cases the provisioning of a malware has been done through the malware-as-service model in adopted by author to implement various requests of the clients.
The news has been published by researchers from CSIS Security Group, that revealed that that the authors of malware have implemented a plugin named "msg.gsm" that allows the code to spread through the popular VOIP client including the following functionality:
  • Sending messages and transferring files
  • Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
  • Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
  • Sends request to server: https://a[removed]s.su/tool/skype.php?action=...
 
Full Article
 
TH

14 replies

Userlevel 7
I do not use Skype much at all, so current this will not affect me. However, I can see how this should be a major concern for all Skype users, and I imagine that Shylock (or some variant) will spread further though a different method.
Userlevel 7
Thanks TH for posting. Good read. 😉
Userlevel 7
I guess this nasty malware will spread over the social network very soon. I hate all this Facebook, Twitter, Google+ and Skype including.
Userlevel 7
@ wrote:
I guess this nasty malware will spread over the social network very soon. I hate all this Facebook, Twitter, Google+ and Skype including.
I agree with you on that. 😉
Userlevel 7
Badge +35
Chat clients have long been a popular attack vector for malware authors, and with Microsoft moving from Messenger to Skype we can expect to see more malware using Skype to spread.
Userlevel 7
You know, a lot of elderly people use Skype to communicate with their families. I can see where these folks, who do not knwo much at all about computer security, can get in trouble. Many of them use their computer to Skype woith family, and check on their bank and other finicial accounts.
 
Big business for the bad guys.
Userlevel 7
Skype came pre-installed on our Toshiba Satellite laptop that my Wife uses. That was one of the many pre-installed programs I uninstalled.
 
Userlevel 7
@ wrote:
Skype came pre-installed on our Toshiba Satellite laptop that my Wife uses. That was one of the many pre-installed programs I uninstalled.
 
While you can uninstall Skype and other similar from Microsoft OS you can't do that from Android devices unless it's rooted what's a shame. I have on my Android device preinstalled Facebook, Twitter and others but I can't uninstall them due to the said restriction.
Userlevel 7
As my tagline states... I am here to learn.  So... that means time for what may be a stupid question for some of you.
 
How is the transmission of this obtained in Skype?  Is it able to infect simply by communicating with an infected user, or does it need to be transmitted as part of a link/image/file?
Userlevel 7
Badge +35
@DavidP wrote:
How is the transmission of this obtained in Skype?  Is it able to infect simply by communicating with an infected user, or does it need to be transmitted as part of a link/image/file?
You would need to accept a file transfer or click on a link. Just as with email or other chat clients, you should avoid downloading files or clicking links that are unsolicited or unexpected. If the file or link came from someone you know, ask them if they knowingly sent it, and if they did not they may be infected.
 
-Dan
Userlevel 7
Badge +13
As my wife is a bit naive,i will have to warn her about this,although i have issued similar warnings about clicking on links and downloading files in this setting in the past.She uses Skype regularly to converse with some of her MMO legion mates,as well as teamspeak,vent..etc.I use none of the above and no instant messengers.Thankfully we are protected by Webroot.Even if we managed to get infected,the many technologies contained within Webroot would prevent transmission of sensitive data as well as remove the threat.These banking trojans are quite tricky and stubborn,and if for some reason said infection does not respond to typical Webroot removal,tech support will be more than happy to assist you with removal free of charge.
Userlevel 7
Badge +54
Lucian Constantin Jul 10, 2014 Police from eight countries together with several private security companies disrupted the online infrastructure used by cybercriminals to control computers infected with a malware program called Shylock.
Shylock is a Trojan program that first appeared in 2011, primarily targeting online banking. The threat is named after a fictional character in Shakespeare’s “The Merchant of Venice” because it includes fragments from the play in its binary files.
Like most malware programs that steal financial information, Shylock is able to inject code into websites in order to capture credentials and trick victims into performing rogue financial transactions. However, the Trojan program has evolved over the years, with its creators adding modules so that it can infect external and USB drives, steal credentials from FTP programs and turn infected computers into proxy servers, among other things.
 
Full Article
Userlevel 7
Badge +54
July 11th, 2014, 10:27 GMT · By Ionut Ilascu
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The group behind the Shylock/Caphaw banking Trojan showed their business prowess for the full duration of the operation, by carefully selecting their market, protecting the asset from authorities through detection evasion tactics, and optimizing it for a higher rate of success.

This week, the U.K. National Crime Agency coordinated an international effort to take control of the domains used for communication with the machines infected by the banking malware. Among the partners in the operation are both law enforcement organizations and security companies in the private sector.

According to Symantec, the cybercriminal gang was organized with professional discipline, as they believe that the developers had a typical nine to five work schedule, from Monday to Friday.
 
Full Article
Userlevel 7
By: Graham Cluley | comment : 0 | July 11, 2014 | Posted in: Industry News
 
Computer crime fighters have today announced that they have seized essential infrastructure used by the highly advanced Shylock banking malware, effectively neutralising an attack which has already infected at least 30,000 Windows computers.

Shylock, which gains its name because its code includes random excerpts from “The Merchant of Venice”, has been used by its criminal overlords to raid the online bank accounts of innocent computer users, after downloading malware onto compromised computers and injecting itself into web sessions. Quite why the malware author who created Shylock decided to incorporate excerpts of one of Shakespeare’s most famous plays is unclear, but it’s possible that it was a sick joke playing on the character demanding a “pound of flesh” after a bankrupt Antonio defaults on a loan. The Shylock malware is extremely sophisticated and has proven to have – until now – a resilient infrastructure that was hard for the authorities to disrupt.
 
HotForSecurity/ Full Read Here/
http://www.hotforsec...lware-9536.html
 

Reply