Computer users in financial institutions may have to be more careful in the workplace, as a financial malware is making a comeback.
Security vendor Trusteer noted a rise in infections by the malware, codenamed “Shylock” for its use of excerpts from William Shakespeare’s “The Merchant of Venice.”
“In recent weeks, we have seen a significant increase in the number of end user machines infected with Shylock. One of this malware’s distinguishing characteristics is its ability to almost completely avoid detection by Anti-Virus scanners after installation. Shylock uses a unique three step process to evade scanners,” Trusteer said in a blog post.
It said the malware manages to stay on computers it infects by changing its file signature to avoid detection by anti-virus programs.
Trusteer said “Shylock” injects itself into all running processes (applications) in memory.
“Every time a new application is initialized, Shylock suspends the application from running in memory, injects itself into the application process and then allows the application to proceed with its normal execution. Once installed, Shylock code doesn’t run as a separate process, rather it embeds itself within every genuine application running on a machine. This makes it very hard to detect,” it said.
But even if it is detected, the fact that it is embedded in multiple running applications makes it almost impossible to stop and remove from memory.
The second step “Shylock” uses to thwart anti-virus software is by intercepting anti-virus scanning and deleting its own files and registry entries, making it undetectable.
A third step is to hook into Microsoft Windows’ shutdown procedure just before the system is completely shut down.
Trusteer said the only way the virus can be deleted is if a machine that does not have an internal battery is physically unplugged – a risky move that may corrupt the operating system.
“We have found that physically unplugging the machine’s power source (assuming it does not have an internal battery), after Shylock has deleted its files and registry entries to evade detection, will clean the memory and also the Shylock infection. Needless to say we do not recommend this as a malware removal practice!” it said.
Shylock from Russia?
A separate article on PC World noted “Shylock” primarily targets at global financial institutions – and may have originated from Russia.
PC World cited an interview with Trusteer chief technology officer Amit Klein where Klein said there are hints in Shylock terminology to suggest it is coming from Russia or the Ukraine.
But who is involved and exactly where it is coming from remain unknown, Klein said. “These are very difficult to track,” he said.
Klein added the authors of the malware are “running a surgical operation” aimed at specific targets — a dozen or so large banks, some payment card providers and several web mail providers.
“It is malware in progress,” he said. “They keep throwing in new features, and perhaps have decided it’s stable enough to distribute.” — TJD, GMA News
Article source: http://ph.news.yahoo.com/shylock-financial-malware-making-comeback-093608815.html
View full post on National Cyber Security » Virus/Malware/Worms