The prolific, credential-stealing Shylock banking Trojan is growing increasingly sophisticated as its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report.
To this point, Shylock has made its money via man-in-the-browser attacks designed to pilfer banking login credentials from a predetermined list of target organizations. Symantec claims that Shylock is currently targeting more than 60 banks and financial institutions mostly in the United Kingdom but also in the United States and Italy as well. From its inception in July 2011 until around May of 2012, Shylock was only really targeting institutions in the UK, so this global expansion is part of the Trojan’s new look.
The malware’s creators are also refining the target list to root out less valuable banks that have either become harder to compromise or no longer provide services for high-value clients.
Shylock’s list of potential features is robust, including an archiver that allows it to compress and upload recorded video files to remote servers, a BackSocks mechanism that allows Shylock to use infected machines as proxy servers, a diskspread functionality that lets Shylock spread via removable drives, an ftpgrabber module that supports password theft from various applications, an MsgSpread which gives Shylock the ability to proliferate through Skype instant messages, and a VNC that provides attackers with a remote connection to compromised devices.
Shylock’s creators aren’t just refining their target list and adding features to expand its capabilities and reach; they’re also fortifying its infrastructure to avoid downtime. Symantec is finding Shylock samples that shuffle traffic between its servers to help balance the load during high-traffic periods. Shylock has three types of servers that Symantec knows of: command and control servers, VNC and BackSocks servers that let attackers perform remote transactions, and Javascript servers that handle the actual business of injecting code to intercept traffic during MiTB attacks.
Shylock has possessed the ability to move itself over Skype messages since January. Before that, its most substantial upgrade happened in November of last year, when its creators added a detection-evading function that let them determine whether the virus was executing organically on a computer or if researchers were opening it in a virtual machine to pick it apart.