January 22, 2017

Banking Trojan tries to hide from security researchers

Shylock from Shakespeare’s Merchant of Venice. Engraving by G. Greatbach after a painting by John Gilbert.

(LiveHacking.Com) –  In the never-ending cat and mouse chase between malware writers and security researchers a twist has been observed by the security company Trusteer. Recent analysis of a piece of banking and financial malware called Shylock has shown that the authors are trying to add methods which stops the malware from being analyzed. Malware researchers often use virtual machines or remote computers in an operations center or “lab” to perform research on malware. To connect to the machines in the lab, researchers use remote desktop connections. Knowing this, Shylock has been altered to identify and avoid remote desktop environments.

“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Gal Frishman wrote in a blog post. According to Gal, Shylock tries to detect a remote desktop environment by feeding invalid data into a certain Windows function call and then observes the error code returned. It uses this return code to spot remote desktops. If it recognizes a remote desktop sessions it won’t install. It is also possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” George Tubin told SC Magazine. “We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won’t start for a time. We see an increasing trend in malware being able to evade virtual environments.”

To find out if it is running in a remote desktop environment Shylock makes a call to the SCardForgetReaderGroup() function in Windows. This innocent function is designed to remove a previously introduced smart card reader group from the smart card subsystem. However it turns out that if the function is called on a normal desktop machine the return values are different to the cases when it is called on a PC using a remote connection. Based on the return code Shylock decides to install or not.