Shylock is polymorphic financial malware that uses the random Shakespeare quotes to change its virus signature; making it able “to almost completely avoid detection by Anti-Virus scanners after installation”, according to Trusteer’s Amit Klein.
It uses additional rootkit functionality to avoid detection. Firstly, it hides its operation by injecting itself into running applications. It is the application that runs, not the Shylock code as a separate process, making it difficult to detect.
Secondly, it ‘watches’ for indications of an anti-virus scan in process. If it detects this, it deletes its own files and registry entries from the disk, remaining active only in memory.
Thirdly, it survives a system shutdown and reboot (which would eliminate the virus when it is only active in memory) by highjacking the Windows shutdown procedure. It effectively re-installs itself after all other applications, including the anti-virus, have closed but before Windows actually shuts down. Klein notes that unplugging the power source after instigating a malware scan to trigger its own removal from the disk will “clean the memory and also the Shylock infection;” but adds, “we do not recommend this as a malware removal practice!”
Other anti-malware companies have not so far noted any significant increase in Shylock infections. “We've seen no sign of an increase in reports,” says Sophos. “At the moment,” says AVAST, “it is impossible to find the samples and verify if others also detect it.” The malware is known as Trojan.Shylock by Symantec, Backdoor:Win32/Caphaw.A by Microsoft, and TROJ_SHYLOCK.A by Trend. Sophos detects it as a variant of Zbot or Troj/Agent.
Editor's Note: It is important to note that during the research process carried out whilst writing this report, we were unable to find any other vendor or source noting this same increase.