Notorious Shylock banking malware taken out by law enforcement

Shylock takedownLaw enforcement action led by the National Crime Agency (NCA) in the UK has knocked out the infrastructure of a banking malware that infected at least 30,000 computers.

The malware is known as Shylock, because of code containing quotes from the character in Shakespeare’s Merchant of Venice.

According to the NCA, which announced the takedown on 10 July, Shylock targeted the UK more than any other country, although the suspected developers are based elsewhere.

The NCA, along with the FBI and agencies in six other countries, seized control of the Shylock command and control (C&C) servers and took over the domains used by Shylock for connections between infected computers.

Shylock has some of the same techniques for stealing banking credentials as its predecessor, the infamous Zeus.

Although not as widespread as the Gameover malware knocked out by law enforcement in June 2014, Shylock had some of the same methods and the same motivation to crack into victims’ bank accounts.

Sophos and other security vendors also know Shylock by another name – Caphaw.

According to SophosLabs threat researcher Savio Lao, Shylock/Caphaw targets banking transactions by intercepting your web traffic and injecting HTML code into banking web pages to alter their contents.

Shylock/Caphaw even verifies user credentials by filling in the bank form with the stolen information to make sure the bank recognizes the numbers, Savio tells us.

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Beating the botnets

Because cybercriminals control all the computers in a botnet, they can command them to do anything at all, including sending out spam that could compromise even more users and expand the botnet further.

The good news is that, because the Shylock C&C servers were seized by authorities, no new instructions can reach the compromised computers – so the Shylock botnet has been effectively neutralized.

Botnet takedowns like Gameover and Shylock are an effective measure in preventing them from spreading malware to new users, but these criminal operations rarely stop the malware authors from creating new malware and building new botnets.

One month after the Gameover takedown, SophosLabs has already seen a new variant spreading via spam.

To learn more about botnets, listen to our podcast embedded above, and read our other articles about two of the biggest and most dangerous botnets – Zeus and Gameover.

By the way, if your computer was compromised by Shylock/Caphaw, the malware is still on your computer, even if it no longer has any servers to call home to for further instructions.

Having malware on your computer, even apparently dormant malware, is a bad idea, not least because the crooks (or their protégés) might be able to revive the “net” part of the botnet at any time.

To check your PC for malware, try downloading the free Sophos Virus Removal Tool – it will scan for malware and remove it in a matter of minutes.

Click to go to download page...

Image of orange globe courtesy of Shutterstock.