Monday, January 21, 2013
The news is very concerning, a new variant of the banking malware known as Shylock has been detected, it includes the capability to spread over Skype.
Shylock is an old acquaintance for security community, the malware was detected for first time in 2011 by experts from Trustee firm, it is used to steal banking credentials from its victims and is considered one of the most insidious cyber threat for banking.
The first version of the malware demonstrated improved methodology for injecting code into browser to remote control the victim and an improved evasion technique to prevent detection by common antivirus software.
Curiously, the origin of the name for the malware, Shylock is the money lender in Shakespeare's opera The Merchant of Venice.
As many other malware (e.g. Zeus) it has been update in the time, in many cases the provisioning of a malware has been done through the malware-as-service model in adopted by author to implement various requests of the clients.
The news has been published by researchers from CSIS Security Group, that revealed that that the authors of malware have implemented a plugin named "msg.gsm" that allows the code to spread through the popular VOIP client including the following functionality:
Sending messages and transferring files
Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
Bypass Skype warning/restriction for connecting to Skype (using findwindow and postmessage)
Sends request to server: »a[removed]s.su/tool/skype.php?action=
Triple Helix - Microsoft® MVP Consumer Security 2012/13
VIP Member Of ASAP - (Alliance of Security Analysis Professionals)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper.