Shylock Malware Knows When It's Being Watched, Trusteer Says

A financial malware platform has the sneaky ability to evade detection when threat researchers are attempting to ferret it out.

The devious software, Shylock, recently developed the skill to sense when an IT person is trying to remedy the malware through remote desktop, said computer security company Trusteer, which discovered the strain last year. Threat researchers often place malware on separate offsite machines in order to analyze the software. This feature of Shylock fells those attempts.

Trusteer named the code Shylock because it automatically puts random excerpts from Shakespeare's The Merchant of Venice in its binary.

Once it realizes it's been detected, Shylock simply stops doing its thing -- which could range anywhere from sending personal files out over the internet, to setting up a wire transfer in your name.

"This particular piece of malware can tell if it's sitting on a machine that someone is trying to access using remote desktop," says George Tubin, a senior security strategist at Trusteer. "It's just another one in a long line of things that malware does to evade all of the different approaches to try and find [it]."

Banks are particularly important targets for thieves, some of which are using the program.

"They are still one of the main targets for malware writers," says Tubin. "We see cyber criminals going after bank employees."

A way to beat Shylock: use applications that constantly monitor for malware on your desktop. An active application that constantly searches for malware wouldn't be detected unless someone else was remoting into that computer, Trusteer says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER