Top 5 Stories


Shylock malware evolves to evade security lab environments

30 November 2012

Just as biological viruses constantly evolve to avoid being eradicated by the body’s immune defenses, so too do cyberbugs. The Shylock malware has done just that, developing the ability to identify and avoid remote desktop environments – which are used by researchers to identify analyze security threats.

Shylock, a financial malware platform discovered by Trusteer in 2011, is a non-Zeus-based information-stealing trojan that improved methodology for injecting code into additional browser processes to take control of a computer, and an improved evasion technique to prevent malware scanners from detecting its presence. It also has a sophisticated watchdog service that allows it to resist removal attempts and restore operations.

Now, Trusteer finds that it continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises. “While analyzing a recent Shylock dropper we noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware,” explained Trusteer researcher Gal Frishman, in a blog.

Researchers collect malware samples and run them in an isolated environment in a lab. But “rather than sitting in front of a rack of physical machines in a cold basement lab, researchers use remote desktop connections to study malware from the convenience and coziness of their offices,” Frishman said. “It is this human weakness that Shylock exploits.”

Shylock is avoiding RDPs – and therefore the sharp eye of researchers – by feeding invalid data into a routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other lab environments.

“In particular, when executed from a remote desktop session the return code will be different and Shylock won't install,” Frishman said. “It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.”

However, it is unclear how long such a trick will help it evade detection, because evasion tactics aren’t actually that effective, according to FireEye researcher Atif Mushtaq. He found in February that none of the world's top 20 malware families except for Conficker (number 11) try to detect virtual machines. The reasons are myriad, but a major one is that researchers themselves can detect a malware strain by its very evasion pattern – so the approach eventually backfires.

Also, “a big portion of existing infrastructure is moving towards virtualization nowadays,” said Mushtaq. “Virtualization is no longer a researcher's tool. One will find lots of real assets running on top of these virtual environments. Malware authors are well aware of this and can't afford to lose these valuable assets.” Similarly, avoiding RDP, built into Windows and used by a wide range of enterprises to give employees remote access to corporate networks, can severely constrict the pool of victims as telecommuting and mobile workforces continue to become the norm.

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×