Wednesday, September 21, 2011

Sept 21 Greedy Shylock - financial malware

Not one, my lord.
Besides, it should appear, that if he had
The present money to discharge the Jew,
He would not take it. Never did I know
A creature, that did bear the shape of man,
So keen and greedy to confound a man:
(The Merchant of Venice W. Shakespeare Act 3, Scene 2 )

On September 7, 2011,  Trusteer announced they are investigating new financial malware they called Shylock that "uses unique mechanisms not found in other financial malware toolkits, including: an improved method for injecting code into additional browser processes to take control of the victim’s computer; a better evasion technique to prevent malware scanners from detecting its presence; a sophisticated watchdog service that allows it to resist removal attempts and restore operations"

Trusteer called the malware Shylock for Shakespeare quotes in the properties of the file.

publisher....: He is ready at the door
copyright....: (c) 2009
product......: He is
description..: So keen and greedy to confound a man
publisher....: To take a tedious leave thus
copyright....: (c) 2008
product......: To take
description..: Exeunt GRATIANO and LORENZO

publisher....: And so riveted with faith unto
copyright....: (c) 2009
product......: And so
description..: And be a day before our husbands home

publisher....: Therefore he hates me
copyright....: (c) 2009
product......: Therefore he
description..: Thou almost makest me waver in my faith
publisher....: Which makes me think that this
copyright....: (c) 2009
product......: Which makes
description..: price of hogs if we grow all to be porkeaters we
publisher....: I humbly do desire your grace
copyright....: (c) 2009
product......: I humbly
description..: The dearest friend to me the kindest man

and so on

Read more about greedy Shylock from Merchant of Venice here. Read more about Shylock malware below

Exploit information and analysis links

The file is digitally signed by an invalid digital certificate - the CN may vary
‎00 df 44 1a bc fc 5b 32 fa
CN = Astothyfriendsforwhendidfriendshiptake
‎Thursday, ‎August ‎18, ‎2011 7:08:46 PM
‎Wednesday, ‎May ‎14, ‎2014 7:08:46 PM
ANTONIO I am as like to call thee so again,
To spit on thee again, to spurn thee too.
If thou wilt lend this money, lend it not
As to thy friends; for when did friendship take
A breed for barren metal of his friend?
But lend it rather to thine enemy,
Who, if he break, thou mayst with better face
Exact the penalty. (The Merchant of Venice W. Shakespeare Act 1, Scene 2 )

   General File Information

715fb3cef70458b857bd55a0259a1265  - unconfirmed - see this related
File Type: exe


Automated Scans

Original scan:
File name:
2011-08-23 17:37:33 (UTC)
Result:4 /44 (9.1%)
Comodo     9847     2011.08.23     TrojWare.Win32.Trojan.Agent.Gen
Kaspersky     2011.08.23     UDS:DangerousObject.Multi.Generic
Symantec     20111.2.0.82     2011.08.23     Suspicious.Cloud.5
MD5   : 4fda5e7e8e682870e993f97ad26ba6b2

Scan dated today:
Submission date:2011-09-21 20:29:18 (UTC)
Current status: Result:29 /43 (67.4%)
AhnLab-V3     2011.09.21.02     2011.09.21     Win-Trojan/Caphaw.371800
AntiVir     2011.09.21     TR/Agent.hvbv
Avast     4.8.1351.0     2011.09.18     Win32:Malware-gen
Avast5     5.0.677.0     2011.09.18     Win32:Malware-gen
AVG     2011.09.21     Agent3.AETB
BitDefender     7.2     2011.09.21     Gen:Variant.Kazy.35924
CAT-QuickHeal     11.00     2011.09.21     Trojan.Agent.hvbv
Comodo     10196     2011.09.21     TrojWare.Win32.Trojan.Agent.Gen
Emsisoft     2011.09.21     Backdoor.Win32.Caphaw!IK
F-Secure     9.0.16440.0     2011.09.21     Gen:Variant.Kazy.35924
Fortinet     4.3.370.0     2011.09.21     W32/Agent.TDB!tr
GData     22     2011.09.21     Gen:Variant.Kazy.35924
Ikarus     T3.     2011.09.21     Backdoor.Win32.Caphaw
Kaspersky     2011.09.21     Trojan.Win32.Agent.hvbv
McAfee     5.400.0.1158     2011.09.21     Artemis!4FDA5E7E8E68
McAfee-GW-Edition     2010.1D     2011.09.21     Artemis!4FDA5E7E8E68
Microsoft     1.7604     2011.09.21     Backdoor:Win32/Caphaw.A
NOD32     6483     2011.09.21     a variant of Win32/Kryptik.SHX
Norman     6.07.11     2011.09.21     W32/Suspicious_Gen2.QKYDE
nProtect     2011-09-21.02     2011.09.21     Gen:Variant.Kazy.35924
Panda     2011.09.21     Generic Trojan
PCTools     2011.09.21     Trojan.Gen
Sophos     4.69.0     2011.09.21     Troj/Agent-TDB
TheHacker     2011.09.21     Trojan/Agent.hvbv
TrendMicro     9.500.0.1008     2011.09.21     TROJ_GEN.R4FC2IH
TrendMicro-HouseCall     9.500.0.1008     2011.09.21     TROJ_GEN.R4FC2IH
VBA32     2011.09.21     Trojan.Agent.hvbv
VIPRE     10545     2011.09.21     Trojan.Win32.Generic!BT
VirusBuster     2011.09.21     Trojan.Agent!WmW5mI7QqD8
MD5   : 4fda5e7e8e682870e993f97ad26ba6b2

Traffic information from

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Aug 2011 23:48:10 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 39
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=0
Expires: Sun, 21 Aug 2011 23:47:40 GMT


hxxp://additional-group[.]at/client.html                                                                 "56485 | UA | ripencc | 2011-03-02 | THEHOST-AS FOP
Sedinkin Olexandr Valeriyovuch"    "15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine"    "15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine"    "15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine"     "6849 | UA | ripencc | 1996-11-29 | UKRTELNET JSC UKRTELECOM,"

1 comment:

  1. I think use of the word "Shylock" is not politically acceptable in Europe, due to past atrocities against Jews (Holocaust that is). Trusteer Corp. will at least get poor PR for their move and maybe even cancelled contracts. It is truly sensitive, the play is seldom performed due to its alleged judeo-phobic attributes, although scholars attest the Merchant has at least a semi-sympathetic portrayal of the rich jew of Venice.

    BTW, it appears the word Shylock is a combination of "Shyster Lok". Thomas Lok was a fraudster, who organized a failed treasure hunt expedition to North America, which lost huge money for investors.

    Aristocrat Edward de Vere, the 17th Earl of Oxford, alleged genius author behind the W. Shake-speare "franchise" was among the top losers. The twist is: Thomas Lok was reportedly not a jew by ethnicity, but Shylock sounds much like derived from "Shiloah (hill)" so it was OK for a jew's name for a play and to harass Lok for eternity.