Computer cops strike at the heart of Shylock malware

Computer crime fighters have today announced that they have seized essential infrastructure used by the highly advanced Shylock banking malware, effectively neutralising an attack which has already infected at least 30,000 Windows computers.

Shylock, which gains its name because its code includes random excerpts from “The Merchant of Venice”, has been used by its criminal overlords to raid the online bank accounts of innocent computer users, after downloading malware onto compromised computers and injecting itself into web sessions.

Quite why the malware author who created Shylock decided to incorporate excerpts of one of Shakespeare’s most famous plays is unclear, but it’s possible that it was a sick joke playing on the character demanding a “pound of flesh” after a bankrupt Antonio defaults on a loan.

The Shylock malware is extremely sophisticated and has proven to have – until now – a resilient infrastructure that was hard for the authorities to disrupt.

Typically spread via malicious links in spammed out messages, the Shylock malware would lurk in the background on infected computers – waiting for the user to visit a banking website.

Once Shylock detected a computer user was attempting to access an online bank account, the malware would display a fake screen designed to steal login credentials and send them to criminals.

As well as logging keystrokes, Shylock could record what was happening on the users’ screen and steal detailed information about what software was installed on the victim’s computer.

As Bitdefender has previously reported, the malware has continued to evolve – notably, for instance, it was updated in early 2013 to spread using Skype’s chat function, sending messages and transferring files via the VOIP service without the knowledge of users.

For over two years, the Shylock cybercrime gang have been able to steal sensitive banking information from unsuspecting users, costing the banking industry millions of pounds.

There is no disputing that Shylock (which Bitdefender products detect as Gen:Variant.Kazy.14303, but is also known as Caphaw) has been a thorn in the side of the UK’s National Crime Agency, because the malware appears to particularly target computer users in the country.

Some studies have suggested that 61% of websites compromised by the malware were UK-based, and that three quarters of the banks being targeted were British.

Recently, however, the Shylock gang has widened its scope – stealing information from users in other countries, including Germany, Denmark, Turkey and Italy, and inflicting financial damage on both individuals and small businesses.

It is no surprise, therefore, to see the NCA join forces with the FBI, Europol, the German Federal Police (BKA), and members of the security industry to gather intelligence about the malware and its infrastructure.

Fascinatingly, Britain’s GCHQ intelligence-gathering agency is also said to have been involved in the investigation, although in what capacity has not been made clear.

Sadly, no arrests have been announced to date in connection with Shylock – but Europol has said that there may be additional action taken by law enforcement agencies after previously unknown parts of the malware’s infrastructure were uncovered.

The most important thing, of course, is not to allow your computer to become infected in the first place.

In its warning, the NCA urged users to be suspicious of clicking on unsolicited links and to treat their computer security as being of paramount importance – keeping vulnerability patches and anti-virus software updated.

Ensuring that your computer is automatically applying security updates is probably a sensible step for the typical home user, and will help to protect against both this and other malware threats.