New variant of banking malware Shylock spread via Skype

Pierluigi Paganini January 20, 2013

The news is very concerning, a new variant of the banking malware known as Shylock has been detected, it includes the capability to spread over Skype.

Shylock is an old acquaintance for security community, the malware was detected for first time in 2011 by experts from Trustee firm, it is used to steal banking credentials from its victims and is considered one of the most insidious cyber threat for banking.

The first version of the malware demonstrated improved methodology for injecting code into browser to remote control the victim and an improved evasion technique to prevent detection by common antivirus software.

Curious the origin of the name for the malware, Shylock is the money lender in Shakespeare’s opera The Merchant of Venice.

As many other malware (e.g. Zeus) it has been update in the time, in many cases the provisioning of a malware has been done through the malware-as-service model in adopted by author to implement various requests of the clients.

The news has been published by researchers from CSIS Security Group, that revealed that that the authors of malware have implemented a plugin named “msg.gsm” that allows the code to spread through the popular VOIP client including the following functionality:

  • Sending messages and transferring files
  • Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
  • Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
  • Sends request to server: https://a[removed]s.su/tool/skype.php?action=…

The CSIS published the data on geographic distribution of the malicious agent that hit mainly Europe and US in particular UK users.

shylock_sink

The malware is able to manipulate Skype history and steal files from the victims bypassing Skype warning/restriction for connecting to Skype displayed every time a third party application try  access to the services of the popular application.

The malware could also steal cookies, inject HTTP into a website, setup VNC and upload files and  among other functions included the possibility to spread through local shares and removable drives.

Shylock is considered a serious banking cyber threat especially in the future due its constant update and the introduction of new feature to increase spread capabilities and evade detection activities.

Pierluigi Paganini



you might also like

leave a comment