Help Net Security – (International) Shylock's new trick for evading malware researchers. The Shylock financial malware platform continues to evolve to bypass new defensive technologies put in place by financial institutions and enterprises. While analyzing a recent Shylock dropper, Trusteer noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware.
The latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other "lab" environments. In particular, when executed from a remote desktop session, the return code will be different, and Shylock will not install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments.
Ali Loney is a Senior UX Designer at Walmart Labs. She is based in Canada and was the former Graphic Designer at Sonatype.
Explore All Posts by Ali LoneyTags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.