New variant of banking malware Shylock spread via Skype

January 20, 2013  By Pierluigi Paganini


The news is very concerning, a new variant of the banking malware known as Shylock has been detected, it includes the capability to spread over Skype.

Shylock is an old acquaintance for security community, the malware was detected for first time in 2011 by experts from Trustee firm, it is used to steal banking credentials from its victims and is considered one of the most insidious cyber threat for banking.

The first version of the malware demonstrated improved methodology for injecting code into browser to remote control the victim and an improved evasion technique to prevent detection by common antivirus software.

Curious the origin of the name for the malware, Shylock is the money lender in Shakespeare’s opera The Merchant of Venice.

As many other malware (e.g. Zeus) it has been update in the time, in many cases the provisioning of a malware has been done through the malware-as-service model in adopted by author to implement various requests of the clients.

The news has been published by researchers from CSIS Security Group, that revealed that that the authors of malware have implemented a plugin named “msg.gsm” that allows the code to spread through the popular VOIP client including the following functionality:

  • Sending messages and transferring files
  • Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
  • Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
  • Sends request to server: https://a[removed]s.su/tool/skype.php?action=…

The CSIS published the data on geographic distribution of the malicious agent that hit mainly Europe and US in particular UK users.

shylock_sink

The malware is able to manipulate Skype history and steal files from the victims bypassing Skype warning/restriction for connecting to Skype displayed every time a third party application try  access to the services of the popular application.

The malware could also steal cookies, inject HTTP into a website, setup VNC and upload files and  among other functions included the possibility to spread through local shares and removable drives.

Shylock is considered a serious banking cyber threat especially in the future due its constant update and the introduction of new feature to increase spread capabilities and evade detection activities.

Pierluigi Paganini



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Bouncer, new phishing variant from RSA

 Despite simplicity of the schema phishing attacks have increased exponentially in the last years targeting every sector,both...