Shylock trojan ducks malware researchers

A trojan that steals bank account information is hiding from researchers who study it via remote desktop connections.

Shylock delivered web injects into victims' browsers and logged keystrokes, and was concealed in endpoint device memory files.

It also rewrote Windows processes, deleted its installation files, ran solely in memory, and persisted after reboot.

 Trusteer senior security strategist George Tubin told SC it appeared to be a widespread threat largely undiscovered by its mostly US victims

Attacks were often initiated by phishing emails or drive-by downloads.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” Tubin said.

The latest variant of Shylock is now able to detect remote desktop connections, a preferred method of analysing malware in lieu of researchers needing to access physical machines within a security operations center, Tubin added.

Trusteer has seen malware use other evasion strategies on virtual environments, like network scanning tools or sandboxing mechanisms, but never specific coding that eludes remote desktop software.

“This is the first time we've seen this in malware,” he said.

“We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won't start for a time. We see an increasing trend in malware being able to evade virtual environments.”

The malware also monitored mouse movement to avoid virtual environments, Symantec principle security response manager Vikram Thakur said.

"At the end of the day, malware authors realize that organizations use automated techniques in order to determine the capabilities of malware,” Thakur said. “By investing development time to circumvent sandboxes, they are trying to buy themselves some time before they get detected."

This article originally appeared at scmagazineus.com