Resurgence of Shylock

The Shylock malware, also known as Caphaw, made it first appearance in 2011. The malware was named Shylock because of excerpts from Shakespeare’s The Merchant of Venice, in the code. Shylock is not vastly different to a number of other recent malware, however it is worth examining here in order to review current malware capabilities especially advanced detection-avoidance behaviours.

There was a flurry of Shylock activity around the beginning of 2013, and recently it has made another resurgence. Overall, there have been three waves of Shylock activity. Initially, infections appeared in Russia, Turkey, Denmark and Italy. In a second wave, UK banks such as Barclays, HSBC, Santander, RBS, and Natwest were targeted. Now, a lot of the activity is aimed at US banks such as Chase Manhattan, BoA, Citi Private, Wells Fargo, and Capital One.

Shylock is a browser-based attack with connections to a Command-and-Control (C&C) server. The purpose of the malware is to steal banking credentials. Communication between the infected system and the C&C uses self-signed certificates, is encrypted with SSL, and the C&C is masked through quasi-random locations, making conventional intrusion detection systems (IDS) ineffective.

Shylock is polymorphic – it randomly alters it’s signature making conventional anti-virus signature-based systems ineffective. It has also been reported that Shylock is able to detect the commencement of AV scanning in the system, the malware then deletes it’s own files and registry entries to avoid detection, running only in memory. Shylock is then able to hook into the PC shut-down process enabling it to restore it’s own files and registry entries after the AV scanning has completed.

Another interesting facet of Shylock is that it shuts down if it detects it is running in a virtual environment. The purpose of this is to make analysis of the malware difficult, as malware researchers generally analyse malware in a virtual environment.

Shylock can download upgrade modules from the C&C server, such as modules that permit it to spread. One plugin allows the malware to record stream video of the user’s banking session. It can also download a key logging plug-in.

The primary infection mechanism of Shylock is to attack vulnerabilities in an old version of the Java runtime machine on old XP systems. Primary infections to date have all been on XP systems running an old version of Java. An update module of the malware allows it to spread through a secondary mechanism by infecting files in shared folders on a LAN, files on USB flash drives, and through Skype. It is through this secondary infection, that later operating systems could be vulnerable.

A notable aspect of Shylock is the boldness of the attacker’s real-time interaction with victims. An update module of Shylock changes the telephone numbers on a bank’s web page to the attacker’s telephone number. Presumably Shylock’s operators would encourage callers to hand over their bank credentials. It would be interesting to phone one of these numbers to evaluate the attacker’s abilities in passing off as legitimate bank staff. In another aspect, the attackers masquerade as bank staff and encourage victims to communicate with them via a fake customer service chat window on the bank website.

William Shakespeare wrote in The Merchant of Venice:
All that glitters is not gold
Often have you heard that told
On internet-connected systems, all may not be as it appears. Information security’s challenge is to protect against advanced threats such as Shylock. Due to polymorphism, conventional signature-based anti-virus technology is ineffective, and due to encryption, intrusion detection methods are ineffective. One defence mechanism that is effective against Shylock is secure browser technology. An effective solution is a secure browser which prevents man-in-the-browser attacks, man-in-the-middle attacks, DNS attacks and key logging attacks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: