FBI Brings Down ‘Shylock’ Banking Trojan

In yet another case of financial trojans to hit the Internet this month, this week the FBI announced they had successfully dismantled the command and control networks responsible for distributing the Shylock banking malware in a joint effort between themselves, Europol, and the UK’s National Crime Agency.

Shylock gets its name from the bits of code that contain excerpts from Shakespeare’s Merchant of Venice, and while no one is entirely certain why the hackers behind the program chose that specific play as a point of reference, its ability to infect more than 30,000 machines in three years just goes to show that even one of the oldest plays in the history of theater can still pack one hell of a punch in the modern era.

Its modular, highly-customizable nature made it nearly impossible for individual security teams to make a dent in the trojan’s capabilities on their own, including its method for replication which was often ten steps ahead of law enforcement both in its sophistication, and the basic technology that kept it in operation for as long as it stayed alive and kicking.

Other private participants in the take down included Kaspersky Lab and Dell Secureworks, who worked closely with government officials in the concerted effort to cut the trojan off at its source before the attackers had a chance to react or properly cover their tracks.

Symantec, who lead the research teams designated to measuring the damage Shylock has caused since first going live in 2011, estimates that millions of dollars have been pilfered from the thousands of machines that were affected by the malware, and that the advanced nature of the code within prevented anyone who lost money from being able to report their losses until it was already too late.

Symantec also provided a detailed breakdown of which countries were hardest hit by the bug on their website.

Photo: Symantec

Photo: Symantec

No arrests have been made in conjunction with the investigation, though Europol claims it was able to gather enough information while the sting was in action to gain a deeper understanding of the hacker ring’s whereabouts, and should be able to hand down search warrants and convictions within the month.

Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, was elated about the results his organization were able to achieve while the crack was still in action:

“The European Cybercrime Centre is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. [..] We have been able to support frontline cyber investigators, coordinated by the UK’s NCA, and working with the physical presence of the United States’ FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber units in Germany, France and Poland.”

Hemidal Security has since released a tool for use by the general public that will allow users and small businesses to detect whether or not their networks have been affected by Shylock or its associated variants.