Twenty-four banks across Europe and the US have recently been targeted by Shylock - aka Capshaw - financial malware that has actively been going after bank accounts since 2011.
The countries with the highest number of infections are the UK, Italy, Denmark and Turkey.
Sachin Deodhar and Chris Mannon, researchers from Zscaler's ThreatLabZ, have reported this upswing in activity, but say they are currently unable to identify the initial infection vector.
"We can tell that it is more than likely arriving as part of an exploit kit honing in on vulnerable versions of Java. The reason we suspect this is that the user-agent for every single transaction that has come through our Behavioral Analysis solution has been: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07."
Shylock avoids detection as it injects itself into legitimate processes; for example, explorer.exe or iexplore.exe. At the same time, it obfuscates its phone home traffic by employing a domain-generated algorithm (DGA) to create addresses using self-signed SSL certificates.
In this way, a traditional network monitoring solution's ability to dissect the packets on the wire for any malicious transactions is limited.
The use of DGA in malware is not new. These algorithms are used by other malware families to periodically generate a large number of domain names that can be used as rendezvous points with their controllers.
The victims
Bank of Scotland
Barclays Bank
First Direct
Santander Direkt Bank AG
First Citizens Bank
Bank of America
Bank of the West
Sovereign Bank
Co-operative Bank
Capital One Financial
Chase Manhattan
Citi Private Bank
Comerica Bank
E*Trade Financial
Harris Bank
Intesa Sanpaolo
Regions Bank
SunTrust
Bank of Ireland Group Treasury
US Bancorp
Banco Mercantil, SA
Varazdinska Banka
Wintrust Financial
Wells Fargo Bank
The myriad points makes it extremely hard for law enforcement to effectively shut down botnets since infected machines will try to contact some of these domain names every day to receive updates or commands.
Notorious malware families and botnets, such as PushDo, Zeus and TDL/TDSS, also employ DGA to target financial institutions, and carry out targeted attacks.
Preventing infection
John McLoughlin, MD of J2 Software, which distributes Zscaler locally, says cyber criminals go to great lengths to create malware that scam users more effectively. "However, many of these threats are just tweaked updates of old ones, with added functionality. With the right protection and a little savvy, users can avoid just about all threats out there."
He advises users to always make sure their devices are updated and secure, with a good anti-malware product. "Be sceptical of random pop-up windows, error messages and attachments. Even mails from trusted sources that don't seem quite right. Get rid of spam - identify spam, and mark it as such to avoid getting more in the future."
Also, McLoughlin says to think before installing new software. "Make sure any software you want to install is legit, and don't download from a source you don't trust 100%. Use common sense - behave online as you do in real life. Trust your instincts."
Share
