Related Stories

  • Shylock malware evolves to evade security lab environments
    Just as biological viruses constantly evolve to avoid being eradicated by the body’s immune defenses, so too do cyberbugs. The Shylock malware has done just that, developing the ability to identify and avoid remote desktop environments – which are used by researchers to identify analyze security threats.
  • Skype IM ramsomware worm spreading quickly
    Skype users are being subjected to a social engineering-based attack via instant message, where messages purporting to be from friends contain malicious links that infect computers with Dorkbot variants.
  • Shylock financial malware on the rise
    Shylock is financial malware first detected by Trusteer last September and so named because of random excerpts from Shakespeare’s Merchant of Venice included in its binary. Trusteer now reports a significant increase in end-user infections.
  • Trusteer reports arrival of Shylock financial malware in the wild
    Trusteer has reported the evolution of a new type of financial malware, apparently created from generic malware. This is the second time this has happened, the security firm claims.

Top 5 Stories


Shylock malware dials up Skype

18 January 2013

The banking trojan known as Shylock is calling up more victims, thanks to a new propagation tactic of using Skype. It’s also added a few new features to worsen the infection.

“When analyzed, during an investigation, we noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype,” said CSIS researcher Peter Kruse, in a blog. “This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.”

Shylock is one of the most advanced trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly, Kruse noted. A recent example of this is its evolution to recognize lab environments.

That said, Kruse and his team found that Shylock is now active in only a few parts of the world, with the epicenter of infections located in the UK. “If we look at sinkhole data collected by CSIS, it becomes quite clear that the attackers prefer to focus only on a few countries instead of random infections in different countries,” he said.

The Skype integration actually enhances the localization, Kruse noted. Past infections – from worms spreading across MSN Messenger, Yahoo! or any other real-time chat program – show that people have a tendency to stay connected with friends who are usually within their own region, allowing outbreaks to be contained locally.

The Skype replication is implemented with a plugin calledt "msg.gsm". This plugin allows the code to spread through Skype and adds a variety of add-on functions.

“Besides from utilizing Skype it will also spread through local shares and removable drives,” Kruse added. “Basically, the C&C functions allow the attacker to execute files, get cookies, inject HTTP into a website, setup VNC, spread through removable drives, uninstall, update C&C server list and upload files.”

Worryingly, anti-virus detection is low for the rojan, garnering zero detections out of 46 programs by VirusTotal.

This article is featured in:
Application Security  •  Industry News  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×