The Shylock banking trojan now travels by Skype
The banking trojan Shylock has found itself a new distribution channel – Skype. The security firm CSIS recently discovered a Shylock module called "msg.gsm" trying to use the VoIP software to infect other computers. If successful, the malware then sets up a typical backdoor. The module tries to send Shylock as a file, bypassing warnings from the Skype software by confirming them itself and cleaning any generated messages from the Skype history.
Once the trojan has been transferred it connects to a command and control server which can ask it to install a VNC server allowing remote control of the computer, get cookies, inject HTTP code into web sites being browsed, spread Shylock over removable drives, or upload files to a server.
The epicenter of infections is, according to CSIS, the UK. The operators are preferring to focus on just a few countries rather than handling widespread random infections in many countries. The use of chat-based transmission, be it Skype or MSN Messenger or Yahoo, tends to increase that focus as people stay connected with friends who are usually within their own region.
Using VirusTotal, the system which runs code past a range of anti-virus software, the Skype module was not detected by any of the 46 different scanning engines on Thursday morning. At the time of writing, the most recent VirusTotal test shows 15 of the engines now detecting it. CSIS calls Shylock one of the most advanced online banking trojans and one that is being continually updated with new features. They also note that Microsoft announcing that it is migrating Messenger users to Skype and the emergence of a Skype-enabled Shylock "does not seem completely coincidental".