Trusteer researchers found that the piece of malware known as Shylock, named so because each new variant contains random quotes from Shakespeare's "The Merchant of Venice", has infected a lot of devices in the past several weeks. After further investigations they have managed to determine the clever mechanisms which allow the malicious element to remain undetected by security software.
According to experts, Shylock, known for the fact that it targets financial information on the victims’ computers, uses a three step technique to ensure that it can almost completely avoid detection.
First of all, it injects itself into all the processes that run in the memory. Each time a new application is executed, the malware makes its way into the process before the program actually starts.
This technique not only allows it to remain undetected, but also makes it difficult to remove with conventional antivirus software, due to the fact that it’s embedded into a large number of processes.
Another clever way of hiding from security applications is by permanently monitoring the directory browsing and the enumeration of registry keys. Since these two factors can indicate an antivirus scan that’s in progress, each time these operations are detected, Shylock removes itself from the registries.
In theory, if it removes itself from the registries, when the computer is started the next time, it won’t be able to make its way into the memory, which means that the infection is eliminated. However, Shylock’s creators came up with a way of verifying that this doesn’t happen.
The malware attaches itself to the shutdown process and reinstates all its files and registry keys before allowing the computer to turn off. Researchers noticed that if the device is unplugged from the wall socket and the operating system doesn’t complete the shutdown sequence, the infection is eliminated.
Trusteer Rapport users are not vulnerable to these types of attacks thanks to the advanced detection engines and multiple layers of defense.