The Shylock financial malware has added new evasive capabilities, Trusteer researchers have found.
Shylock can now detect if it is being observed within a remote desktop session or being executed locally, Gal Frishman, the malware analysis team leader at Trusteer, wrote on the company blog on Wednesday. The Shylock dropper feeds invalid data into a certain routine and analyzes the error message to determine what kind of environment it is currently running on.
Depending on the error code it receives back Shylock is able to determine whether the session is a normal desktop or a remote desktop. If it turns out to be a remote desktop, Shylock won’t install itself, making it harder for researchers to analyze the sample, Frishman said.
More specifically, when the dropper is executed locally, the error code returned by the function SCardForgetReaderGroupA(0, 0) is either 0x80100011 (SCARD_E_INVALID_VALUE) or 0x2 (ERROR_FILE_NOT_FOUND). On the remote desktop, the returned code is 0x80100004 (SCARD_E_INVALID_PARAMETER), according to the blog post.
Researchers generally collect malware samples on isolated machines and servers, Trusteer claimed. In many cases, researchers just use remote desktop sessions to access these systems in order to analyze the samples “from the convenience and coziness of their offices,” according to the blog post.
Shylock’s defensive strategy relies on this particular “human weakness,” Trusteer said.
The logic behind this tactic is pretty simple: If the malware doesn’t install on the researcher’s machine in the first place, it is harder for the researcher to analyze it and generate a signature to detect the malware. The dropper can use this method to identify other known or proprietary virtual and sandbox environments as well, Trusteer explained.
Malware strains are increasingly using various approaches to identify the execution environments, Trusteer said. For example, there are several pieces of malware which wont execute or infect a virtual machine. That specific maneuver is based on the fact that many honeypots are virtual machines.
Over the summer, Trusteer identified another financial malware, Tilon, which had added new advanced evasive capabilities. Tilon injects itself into the browser to launch “man in the browser” (MitB) attacks and installs itself as a service with a genuine-looking name and a random executable name. Tilon is one of the strains that won’t install on a virtual machine, according to Trusteer.