Shylock malware evolves to evade security lab environments

Shylock, a financial malware platform discovered by Trusteer in 2011, is a non-Zeus-based information-stealing trojan that improved methodology for injecting code into additional browser processes to take control of a computer, and an improved evasion technique to prevent malware scanners from detecting its presence. It also has a sophisticated watchdog service that allows it to resist removal attempts and restore operations.

Now, Trusteer finds that it continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises. “While analyzing a recent Shylock dropper we noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware,” explained Trusteer researcher Gal Frishman, in a blog.

Researchers collect malware samples and run them in an isolated environment in a lab. But “rather than sitting in front of a rack of physical machines in a cold basement lab, researchers use remote desktop connections to study malware from the convenience and coziness of their offices,” Frishman said. “It is this human weakness that Shylock exploits.”

Shylock is avoiding RDPs – and therefore the sharp eye of researchers – by feeding invalid data into a routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other lab environments.

“In particular, when executed from a remote desktop session the return code will be different and Shylock won't install,” Frishman said. “It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.”

However, it is unclear how long such a trick will help it evade detection, because evasion tactics aren’t actually that effective, according to FireEye researcher Atif Mushtaq. He found in February that none of the world's top 20 malware families except for Conficker (number 11) try to detect virtual machines. The reasons are myriad, but a major one is that researchers themselves can detect a malware strain by its very evasion pattern – so the approach eventually backfires.

Also, “a big portion of existing infrastructure is moving towards virtualization nowadays,” said Mushtaq. “Virtualization is no longer a researcher's tool. One will find lots of real assets running on top of these virtual environments. Malware authors are well aware of this and can't afford to lose these valuable assets.” Similarly, avoiding RDP, built into Windows and used by a wide range of enterprises to give employees remote access to corporate networks, can severely constrict the pool of victims as telecommuting and mobile workforces continue to become the norm.

What’s hot on Infosecurity Magazine?