“When analyzed, during an investigation, we noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype,” said CSIS researcher Peter Kruse, in a blog. “This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.”
Shylock is one of the most advanced trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly, Kruse noted. A recent example of this is its evolution to recognize lab environments.
That said, Kruse and his team found that Shylock is now active in only a few parts of the world, with the epicenter of infections located in the UK. “If we look at sinkhole data collected by CSIS, it becomes quite clear that the attackers prefer to focus only on a few countries instead of random infections in different countries,” he said.
The Skype integration actually enhances the localization, Kruse noted. Past infections – from worms spreading across MSN Messenger, Yahoo! or any other real-time chat program – show that people have a tendency to stay connected with friends who are usually within their own region, allowing outbreaks to be contained locally.
The Skype replication is implemented with a plugin calledt "msg.gsm". This plugin allows the code to spread through Skype and adds a variety of add-on functions.
“Besides from utilizing Skype it will also spread through local shares and removable drives,” Kruse added. “Basically, the C&C functions allow the attacker to execute files, get cookies, inject HTTP into a website, setup VNC, spread through removable drives, uninstall, update C&C server list and upload files.”
Worryingly, anti-virus detection is low for the rojan, garnering zero detections out of 46 programs by VirusTotal.