Police, security firms team up and take down Shylock malware

The notorious Shylock, a dangerous financial Trojan, has been disrupted due to the efforts of police and security experts.


International law enforcement and security experts have disrupted the activities of the financial Trojan Shylock, according to the UK National Crime Agency (NCA).

Announced on Thursday, the global takedown was led by the NCA alongside the FBI, Europol, Dell SecureWorks, GCHQ, Kaspersky Lab and other security firms. The groups "jointly addressed" the Shylock Trojan, seizing the Command and Control (C&C) servers — which relay instructions to the malware — in a series of stings, as well as taking control of the domains Shylock uses for communication between infected computers.

Shylock is so called because the malicious code contains excerpts from Shakespeare’s Merchant of Venice. Security experts at Symantec say that the Trojan is "seen as one of the world's most dangerous financial Trojans" as it is designed to intercept banking transactions conducted online and lifts victim credentials as a result.

More advanced than other banking Trojans, Shylock has a targeted distribution network that allows the cyberattackers to infect victims through multiple channels, and the Trojan has been continuously updated in response to countermeasures set by targeted banks. In addition, the malware is modular, allowing criminals to change its functionality quickly and easily.

Shylock is privately owned and has not been seen for sale in underground markets.

The stings were conducted from the European Cybercrime Centre (EC3) at Europol in The Hague, and investigators worldwide from the NCA, FBI, the Netherlands, Turkey and Italy coordinated action in their respective countries, acting at the same time as counterparts in Germany, Poland and France.

Symantec estimates that the cybercriminals behind Shylock have stolen a million dollars from victims over the past three years, with over 60,000 infections being detected in the past year alone. The NCA predicts that Shylock has infected at least 30,000 Windows computers worldwide, with the UK targeted more than any other country.

Symantec's estimates for Shylock's geographical targeting is shown below.

Screen Shot 2014-07-11 at 11.38.50

Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, said:

The European Cybercrime Centre is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. [..] We have been able to support frontline cyber investigators, coordinated by the UK's NCA, and working with the physical presence of the United States' FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber units in Germany, France and Poland.

Show Comments