Shylock, a new Internet banking Trojan, targets UK banks

The Shylock Internet banking Trojan pilfers online banking credentials and data, using innovative new techniques to avoid detection.

If you log into a targeted bank, [Shylock] can record your login information, it can record the contents of the page returned from the bank’s Web server – such as your bank balance – or it could modify the page before it is rendered on the screen.

Amit Klein, CTO, Trusteer

A new Internet banking Trojan has been identified, targeting the customers of approximately half a dozen UK banks, using a combination of clever new techniques to avoid detection and removal.

The Trojan has been detected by specialist security company Trusteer, which already supplies its Rapport security product to a number of UK banks, including HSBC, RBS and Santander’s UK operations.

Trusteer has dubbed the malware Shylock, after the Shakespearian moneylender who demanded his “pound of flesh” as penalty for an unpaid debt. Once installed in a banking customer’s Internet browser, the malware waits for the user to begin an online banking session, and then allows a hacker to steal login information, and also interfere with the traffic between the bank and the customer.

“Shylock sits in the browser. It can passively monitor the user’s traffic, or it can modify the traffic in transit,” said Amit Klein, CTO for Trusteer. “For example, if you log into a targeted bank, it can record your login information, it can record the contents of the page returned from the bank’s Web server – such as your bank balance – or it could modify the page before it is rendered on the screen.”

Klein said the software employs some novel methods to avoid detection and removal by antivirus systems, and also to inject its code into the victim’s browser. “To avoid detection, it has its own rootkit-level monitoring of certain areas of the computer, such as the registry and file system. If you run AV, which scans those areas to find malware, it silently removes its file from those locations so they do not show up in the malware scan,” said Klein. Attacks have so far been detected against both Internet Explorer and Firefox.

Shylock is just the latest in a long series of banking Trojans designed to steal details from online banking users, such as Zeus and SpyEye, which have been in widespread use by attackers over the last year.

Klein said Trusteer has discovered targeted attacks against no fewer than six major UK banks, as well as a number of other overseas financial institutions. “[Shylock] is still in its early days, so we think it is being used by the same gang who wrote it,” he said. “It is still in its initial growth phase, unlike Zeus, which is more mature and widely used.”

Trusteer’s Rapport security software product, which provides protection against Shylock by creating a secure connection between customers’ browsers and banks’ websites, is in use at a number of UK banks, but the product will soon have competition from Ironkey, a provider of secure flash drives. Ironkey has created a downloadable version of its Trusted Access product; similarly; bank customers can load on their PCs to create a secure virtual session for banking.

Kevin Bocek, Ironkey's VP of product marketing, said the product is currently undergoing field trials with a number of UK and European banks, none of which can be named. He said the product will also be enhanced next year to support smartphones, and provide banks with the ability to send one-time passwords to users’ mobile phones as a second authentication factor.

“This type of bank fraud has increased sharply over the last year,” Bocek said. “We need to protect the customer’s computer, because that is where these attacks start. Zeus, SpyEye, Oddjob – you name it – all of these attacks start on the customer’s computer."

Read more on Hackers and cybercrime prevention