Home | Press | Contact da en
Heimdal

Press Contact

Peter Kruse
Partner & Security Specialist
pkr@csis.dk
PGP Key ID: 0x49006F37

Blog
2013-01-17 09:08:39 | Peter Kruse

The home Trojan-banker known as Shylock has just yesterday been updated with new functions. When analyzed, during an investigation, we noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype. This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.


Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK. If we look at sinkhole data collected by CSIS (illustrated below) it becomes quite clear that the attackers prefer to focus only on a few countries instead of random infections in different countries.

When using a tool like Skype, or any "chat" based technology, for replication purpose, it only fuels the geographic focus. Past infections, from e.g. worms spreading across MSN Messenger, Yahoo etc. or any other real-time chat program, shows that people have a tendency to stay connected with friends (usually within their own region) allowing outbreaks to be contained locally.


The Skype replication is implemented with a plugin called "msg.gsm". This plugin allows the code to spread through Skype and adds the following functionality:

- Sending messages and transferring files
- Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
- Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
- Sends request to server: https://a[removed]s.su/tool/skype.php?action=...


Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

- Execute files
- Get cookies
- Inject HTTP into a website
- Setup VNC
- Spread through removable drives
- Uninstall
- Update C&C server list
- Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low:

File name:

msg.gsm

Detection ratio:

0 / 46

https://www.virustotal.com/file/4bd97130a89c2f9080259d8e87d8d713a23fd0e4336eabb0bf47a44d700ec842/analysis/1358414436/



Analysis:
Iurii Khvyl and Peter Kruse