Shylock is one of the most advanced Trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.
According to security researchers from CSIS Security Group, the Skype infection is based on a malicious plugin called msg.gsm and allows the malware to send messages and transfer files, clean messages and transfers from Skype history and even bypass the Skype warning for connecting to servers.
Beside the new ability to spread through Skype, Shylock can also spread through local shares and removable drives. Infection by the Trojan allows hackers to steal cookies, inject HTTP into a website, setup VNC and upload files, among other functions.
The program also bypasses the warning and confirmation request that Skype displays when a third-party program tries to connect and interact with the application.
According to a map showing the distribution of Shylock infections that was published by CSIS, there's a high concentration of victims in the UK. However, there are also many Shylock-infected computers throughout mainland Europe and the US.
2012-12-01T07:50:00-11:00Saturday, December 01, 2012 Mohit Kumar
Shylock, a financial malware platform discovered by Trusteer in 2011, is a non-Zeus-based information-stealing trojan that improved methodology for injecting code into additional browser processes to take control of a computer, and an improved evasion technique to prevent malware scanners from detecting its presence.
Why this Name ? Shylock named after the ruthless money lender in Shakespeare's The Merchant of Venice, also deletes its installation files, runs solely in memory, and begins the process again once the infected machine reboots.
Shylock has gained a new trick: The ability to detect whether it's running in a virtual machine (VM) that is being analyzed by malware researchers.
What New ? Latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other "lab" environments. In particular, when executed from a remote desktop session the return code will be different and Shylock won't install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.
However, it is unclear how long such a trick will help it evade detection, because evasion tactics aren't actually that effective. In February researchers found that none of the world's top 20 malware families except for Conficker try to detect virtual machines.