The Hacker News Logo
Subscribe to Newsletter

Shylock malware : Undetectable virus stealing bank account information

Shylock, a financial malware platform discovered by Trusteer in 2011, is a non-Zeus-based information-stealing trojan that improved methodology for injecting code into additional browser processes to take control of a computer, and an improved evasion technique to prevent malware scanners from detecting its presence.

Why this Name ? Shylock named after the ruthless money lender in Shakespeare's The Merchant of Venice, also deletes its installation files, runs solely in memory, and begins the process again once the infected machine reboots.
Shylock has gained a new trick: The ability to detect whether it's running in a virtual machine (VM) that is being analyzed by malware researchers.

What New ? Latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other "lab" environments. In particular, when executed from a remote desktop session the return code will be different and Shylock won't install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

However, it is unclear how long such a trick will help it evade detection, because evasion tactics aren't actually that effective. In February researchers found that none of the world's top 20 malware families except for Conficker try to detect virtual machines.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.