NCA disrupts Shylock malware cyber threat

In the world of cybercrime, the stories that tend to make the headlines are generally bad news stories. However, every now and then a good new story comes along; one that demonstrates how authorities are effectively cooperating and combining resources and hitting back at the criminals who target cyberspace. News broke last week that the National Crime Agency (NCA) in conjunction with authorities in the USA and Europe has successfully disrupted a cybersecurity threat known as Shylock. The action follows a similar effort led by US authorities last month against the Zeus botnet which was claimed to have over 1 million computers worldwide. The U.S. authorities are currently seeking Russian, Evgenily Bogachev, in connection with that operation.

The Shylock malware, so named because passages from Shakespeare’s The Merchant of Venice were found within its code, affected more than 30,000 computers worldwide running Microsoft’s Windows operating system, and primarily targeted the online bank accounts of people living in the UK, though users in the U.S, Italy and Turkey were also hit by the malware which was originally discovered in the latter half of 2011.

The Shylock malware was one of the most sophisticated and fastest growing threats posed by cyber criminals on record. Its creators managed to build a platform over a two year period which was able to commit large scale targeting and theft of sensitive banking data: this information was then used to make fraudulent transactions which are estimated to have cost the banking industry millions of pounds per year. It was ranked as one of the top banking malware types of 2013 by Dell SecureWorks, which assisted the police operation, alongside anti-virus provider Kaspersky.

The criminals running the operation spread the malware by spreading links that led to downloads of the malware, either via spam email or in Skype instant messaging. Once on a system, it would detect when a user was visiting a banking website, create fake login sections of that site and then pilfer banking logins. This information would be sent to the criminals, who would siphon off money from the accounts. Shylock could also take screenshots or record videos of specific web pages, and upload stolen information and data about the infected computer and installed software.

What caused the greatest concerns for the regulating authorities was the scalability of the malware. Shylock’s code framework was constructed in such a way that it enabled more powerful upgrades to be added. It combined various best-of-breed malware techniques for stealth and persistence, which resulted in very low detection rates by antivirus products. These techniques were hand-picked from other malware families, and evolved over several years of refinement based on ‘in-the-wild’ deployment and successful infection.

The global action to disrupt the malware was led by UK intelligence services, working in conjunction with security experts based in The Hague. Command and control servers for Shylock were located and seized by international law enforcement bodies, including the FBI, the German Federal Police and Europol, and website domains used to control the malware were also shut down, as global cyber police gathered over 9 and 10 July in the operational centre at the European Cybercrime Centre (EC3) at Europol in The Hague.

Speaking about the latest action, Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit, said:
“This phase of activity is intended to have a significant effect on the Shylock infrastructure and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime impacting the UK,” said Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit.
“We continue to urge everybody to ensure their operating systems and security software are up to date.”
Users who have automated updating for their Windows machines switched on need not do anything, as this will fix any problems for those infected with Shylock, Mr Archibald said. Anyone concerned about the malware can head to Microsoft’s support page to learn more about disinfection.

If you are concerned about the escalating security challenges facing businesses today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping you assess your security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].