The Merchant of Malware

Written by

The Obama Administration recently released some details on its decision-making process for publicly disclosing zero-day vulnerabilities. Drew Amorosi reports.

Synonymous with a ruthless money lender, the name Shylock is the brainchild of William Shakespeare. As the primary antagonist in The Merchant of Venice, the vanquished Jewish creditor’s forced conversion to Christianity forms the apex of Shakespeare’s comedy. Following the recent takedown of the namesake financial malware used by certain recesses of the cyber-criminal underground, it appears the contemporary script still includes defeat for Shylock – at least for now.

The fictitious Shylock’s misfortune begins as, befitting his overzealous nature, the creditor attempts to collect a pound of human flesh promised to him when a borrower (and rival) defaults on a loan. Often described as a highly sophisticated polymorphic malware, the real Shylock took several million pounds of flesh – pounds sterling, that is, in addition to dollars, Euros, and rupees. Shylock has targeted many of the world’s largest financial institutions, and unsurprisingly elicited a response from law enforcement.

The axe fell upon Shylock on July 10 2014, as Europol publicly detailed a globally coordinated operation that – over the previous two days – sought to fundamentally disrupt the cyber-criminal infrastructure operating the trojan’s botnet.

The sting was coordinated by law enforcement in the UK, but was heavily assisted by counterparts in Italy, the Netherlands, Turkey, Germany, France, Poland, and the FBI in the US. The family affair also included the UK’s GCHQ, Europol’s European Cybercrime Centre (EC3), and several private sector cybersecurity firms. The allied law enforcement agencies seized servers comprising the trojan’s command-and-control system in early July, in addition to taking control of the domains that Shylock employed for communication between infected computers. The investigation and resulting actions were coordinated by Europol’s EC3. The EU’s emergency response arm, CERT-EU, also participated in the operation and passed on relevant information about the malicious domains associated with Shylock to peer organizations in EU member states.

The many hands working together to take Shylock and its infrastructure offline have been praised by cybercrime experts on both sides of the Atlantic. The need for such a response is imperative in today’s digital economy, as a recent report from McAfee and the Center for Strategic and International Studies pointed out. With an overall global internet economy of between $2–3 trillion, cybercrime takes away about 15–20% of this value. Cybercrime, including the likes of Shylock, helps contribute to a worldwide negative impact on employment while draining approximately $445 billion from that economy. 

“The recent law enforcement efforts have proved successful in not only impacting the operations of the malware, but also demonstrate the importance of cyber hygiene to the general public.”Raj Samani, chief technology officer EMEA at McAfee

Nevertheless, while this operation may have been a successful one, most experts in the field – Samani included – know that takedowns like this are only temporary fixes for cybercrime and that such partnerships to combat the trend must be permanently strengthened. 

Hidden in Plain Sight

Despite Shylock’s international appetite, it has done most of its feasting on financial institutions from the land of Shakespeare. BAE Systems Applied Intelligence published its analysis of the malware and found that over a recent two-year period, 80% of the banks it targeted were UK-based, and attacks were mainly via compromising legitimate websites. The business and technology consultancy also found that from a sample of 500 known compromised sites, 61% were based in the UK. So it was no surprise that the UK’s neonate National Crime Agency (NCA) spearheaded the international collaboration that, for the time being, has disabled the botnet that serves the Shylock.  

“We codenamed it Shylock because every new build bundles random excerpts from Shakespeare's The Merchant of Venice in its binary,” explained Trusteer, which published the first analysis of Shylock in 2011. The internet security specialist observed that the process was “designed to change the malware’s file signature to avoid detection by anti-virus programs.”

According to Trusteer, Shylock uses a novel three-step process to evade anti-virus scanners. First it hides in the machine’s memory by injecting itself into all running applications. 

“Every time a new application is initialized, Shylock suspends the application from running memory, injects itself into the application process, and then allows the application to proceed with its normal execution,” the firm detailed. “Once installed, Shylock code doesn't run as a separate process, rather it embeds itself within every genuine application running on a machine.” Trusteer noted that this process makes Shylock extremely difficult to detect with traditional anti-virus, and even if it were detected, would be “almost impossible to stop and remove from memory,” because it runs within multiple applications.

The second and perhaps most unique method Shylock uses to evade AV is what has been referred to by many researchers as a ‘watchdog’ feature that detects when an AV scan is taking place and, once detected, the trojan deletes its own files and registry entries, effectively covering its tracks. Finally, Shylock ‘hijacks’ the Windows shutdown process, Trusteer said, “to ensure its survival” because once the trojan deletes its files and registry entries, a shutdown would remove it from the memory. To avoid this, Shylock “hooks into the Windows shutdown procedure and reinstates the files and registry keys…just before the system is completely shut down and after all other applications are closed (including anti-virus).”

With such a complex and previously unseen method of divide, hide, and conquer, it’s no wonder that Shylock received the attention of UK and worldwide law enforcement, especially given that it’s just one player in the world of malware bought, sold, and deployed by the cyber-criminal underground. Perhaps strengthening the motivation were the institutions the malware was targeting, including financial heavyweights Barclays, Santander, Bank of America and Wells Fargo.  

Collateral Damage

It’s important to note that this collaborative takedown effort caused damage to Shylock’s infrastructure. What it did not do, however, was bring those responsible to justice. Furthermore, thus far, the people behind Shylock remain unidentified – other than a few speculative references to Russian appearing in the malware’s code.

“Shylock reminds me a lot of Ghost Click,” says James Harris, senior cybersecurity specialist at Obsidian Analysis. Harris is the former acting unit chief of the FBI’s Cybercrime Unit 2. He’s referring to Operation Ghost Click back in 2011 when the FBI worked with international law enforcement and private sector partners to curtail the operation behind the DNSChanger malware. In that case, a federal court order replaced rogue DNS servers with legitimate ones, but unlike the Shylock operation, there were arrests and formal charges brought forward on those thought to be responsible.

“On one hand, it’s good to see law enforcement and the private sector working together under an established legal framework to address these crimes,” Harris says. 

“On the other hand, I worry that the successes of these operations will create an evolutionary pressure on malware creators to develop much more robust architectures, either with more distributed command-and-control networks, or with ‘self-destruct’ features to raise the risk of such operations.”James Harris, senior cybersecurity specialist at Obsidian Analysis

What the former FBI agent underscores is that, not coincidentally, malware in today’s cyber-criminal underground is like a biological virus – constantly mutating to avoid modern remedies, or paving the way for other previously unknown types to fill the void.

Although such law enforcement efforts are necessary to combat the problem, Harris believes they will do little to affect the cost of doing business for cyber-criminals. “It’s not more expensive to write more robust code, and there is no way to predict what the infrastructure (domain names, etc.) will cost; it could even get cheaper with more creative solutions.”

Richard Stiennon, chief research analyst with IT-Harvest, echoes Harris’ comments.

“While the organizations that participated in the takedown of the Shylock botnet are to be commended for overcoming legal and coordination hurdles, the impact of the takedown on the operations of cyber-criminals will be minimal,” he tells Infosecurity. Further, he notes that the cost of launching a new botnet aimed at financial fraud is far cheaper than that spent by law enforcement and other stakeholders in taking it down. 

“The only way to make a dent in the rising threat of cybercrime is to arrest and successfully prosecute the perpetrators."James Harris, Senior Cybersecurity Specialist at Obsidian Analysis

There is also some collateral damage for those whose computers have been infected by Shylock, Theresa Payton points out. The former White House CIO and current CEO of Fortalice Solutions also commends the coordinated takedown effort, and says its exactly what we need to see more of. “But there are some drawbacks,” she explains.

“First, when a botnet is removed it could impact some users if their computers no longer know how to route to the internet. Second, if the botnet is shut down and the user with an infection does not know they are infected, it could leave them open to new attacks.” Payton also underscores the relentlessness of cyber-criminals who seek an easy way to profit with minimal output. “They will either tweak Shylock so it works again, or they will create a new botnet to work from,” she argues.

Resurrection and Reprieves

If art does indeed imitate life, then it’s safe to say that – absent any arrests – those responsible for Shylock will live to pilfer once again. Shakespeare’s Shylock must adapt to a new world of Christianity, but in exchange is spared his life in The Merchant of Venice. In the world of cybercrime, similar alternatives must be put forth or there will be no incentive for those behind the fraud to cease their operations.

A more comprehensive approach is needed in order for this to one day become reality, according to Harris.

“If we really want to change the equation, we as a society have to think in terms of near-term, mid-term, and long-term solutions,” he maintains.

“In the near-term, we need better cybersecurity awareness and practices for users. In the mid-term, we need to address the software development methods of our vendors to create more secure code from the start, thus resisting infection. In the long-term, we need to address economic conditions in these countries that are constantly churning out this type of malware so that a skilled programmer can find more productive employment than building nasty bugs.”

Shylock is on hiatus for now, but as Stiennon points out, other botnets are there to keep the cybercrime drain flowing. “International organizations such as Europol and NCA's National Cyber Crime Unit must develop the ability to take down command and control servers as they are created, not after months of operation,” he says.

“They must work to improve cooperation with law enforcement in the difficult legal environments of Eastern European states to prosecute the organized crime gangs responsible for banking trojans,” he concludes.

What’s hot on Infosecurity Magazine?