Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay

An anonymous reader writes: Shifu is a banking trojan that's currently attacking 14 Japanese banks. Once it has infected a victim's machine, it will install a special module that keeps other banking-related trojans at bay. If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.

Old news

Yawnie Kataya

Re:Old news

[barbariccow]

Kinda reminded me of Welchia from 2003. It infected computers and patched them: https://en.wikipedia.org/wiki/...

Misleading

If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.

Which operating system?

Re: Misleading

[Frankzy]

Acorn?

Re:Misleading

[olsmeister]

Well, since one of the things it does is wipe the local System Restore Point, I'm guessing Windows.

Re:Misleading

[NotQuiteReal]

Yes, summary is incorrect. The specific message is not "Out of memory", but rather "640K ought to be enough for anybody."

Microsoft and XP

[Qzukk]

Microsoft ought to issue one last update for XP to replace IE's "this site is broken and sucks shit" message with "this browser is broken and you need to upgrade to access secure sites"

That's the only way I'll ever be able to remove support for XP's https implementation from my servers (or until 2020 or so when the last of the XP boxes finally have their harddrive fail and a new computer bought)

Re:Microsoft and XP

[KGIII]

What they OUGHT to do is open it up and allow the community to maintain it. I mean, yeah, if we're going to be making wishes we might as well go big. Can you imagine how much attention that would get them? Free publicity, pretty much free at any rate, is generally a great thing - sometimes even when it is negative publicity. Then, maybe, they can open up IE and let you port the newer versions to XP. Heck, they'd probably work by default but are intentionally made to not install on older operating systems.

I do not see this happening. There's the Shared Source Initiative but I don't think that's really going to cover it.

Re:Microsoft and XP

[TechnoJoe]

That's the only way I'll ever be able to remove support for XP's https implementation from my servers

No, what you need is your boss/company/whatever to adopt a sane support policy. That's what my company did with Win98. The day after MS support ended we politely told our customers, "Windows 98 is sold old that even Microsoft doesn't support it. Therefore, we cannot support it either."

There's a very good reason for this. Let's say we screw something up, and we need to make-it-right for the customer. Without support from MS, we're completely on our own with no fallback and no one to rely on. Could we probably fix it? Sure, but how much more are we on the hook if we run into trouble? How unlimited are our losses if we can't fix it?

Trojan Price-war

Eventually, criminal gangs producing malware will fight in the market by producing malwares that keep the competitors out, and we will have a Trojan Horse Price-war, where people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer. Interesting change in development.

Re:Trojan Price-war

Yeah, but which one keeps McAfee out?

Re:Trojan Price-war

[MickyTheIdiot]

The one that cuts off his supply of blow and girls.

Re:Trojan Price-war

[bob_super]

> people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer

There's already a name for that protection racket, it's called an anti-virus subscription.

Re:Trojan Price-war

[fredgiblet]

And the Free Market fixes everything again! Praise Adam Smith!

And so it begins

[DFDumont]

This is the first published report I've seen regarding a technique I've been promoting for a decade. Inoculation. If you find an infected machine, take control and fix it. Slashdot commenters universally reply to this technique with sarcasm, warnings of legal action or downright vitriol but the technique stands as the only way to move forward. The best defense after all is an offense and all current and future planned security activities are reactive in nature. As long as you wait for all the other machines to be patched and comply with security best practices, you will never stop waiting and your services will be under attack.
There was a small script I wrote a number of years back when I first got broadband access at my home. My firewall was being inundated by attacks from the metro loop so I wrote something that scanned the source IP for well-known exploits. If one was found, it used said exploit to take enough control to put a system level dialogue box up that said "Your machine has been infected by a virus - please fix this immediately", and then listed the virus it used to gain access. This ran for about a month until my provider called me and asked me to desist.

Re:And so it begins

[sinij]

Can you please infect my elderly mother's computer too?

Re:And so it begins

Cool story bro. Except the made up parts.

Incidentally, good on your ISP berating you for acting like an utter shitdick. "If you find a hacked machine, hack it yourself in an attempt to unhack the machine! That certainly won't have any legal consequences if you get caught, even though in my own little anecdote I was actually told to 'desist' by my ISP for the same douchenozzle behaviour."

"The best defense after all is an offense," give me a fucking break. Computer security isn't football with a bunch of pituitary retards banging their skulls together.

Re:And so it begins

I'm glad someone is calling out all the BS on here. Yeah right, he wrote a "small script" that "scanned IPs for known exploits" and "brought up a system level (wtf) dialog box" on infected machines. And the ISP cared enough to investigate it and tell him to stop.

Re:And so it begins

[Applehu+Akbar]

" If one was found, it used said exploit to take enough control to put a system level dialogue box "

Your reclassification by the multitudes as a feminine hygiene product was occasioned by the fact that every scareware spammer out there begins by displaying the same dialog box you just did. Grandma User has no idea that you might be actually fixing her machine, rather than following up with the usual non-negotiable demand to send Bitcoin ransom to some Tor node in the Peoples' Republic of Ongabonga.

Re:And so it begins

Your only mistake here was to keep on scanning from your own machine.

Code that brilliant should have been made into a worm and set free.

I am not a lawyer, and this advice certainly some stupid laws somewhere, and can get you in trouble.

Re:And so it begins

A "small script" that "scanned the source IP for well-known exploits" and popped up a "system level dialogue box."

Really.

People are modding this shit as insightful? He made it up. He had a reasonable point, then he tried to re-inforce it with a bunch of made up bullshit.

Re:And so it begins

Or you could just whitelist your executables like most people do nowadays instead of expecting some white night to write a virus to fix other virii..... It's become painfully obvious that AV software doesn't do it's job anymore and end users can't be trusted to pay attention to anything. So whitelist your software, lock people out of everything they don't need, and 99% of your virus problems will disappear.

If you don't believe this idea is workable then you need to take a look at the Crypto virus. This is exactly how to handle blocking such a large problem as Crypto and the end result is that it deals with so many other problems as well.

Re:And so it begins

[Krishnoid]

1. As long as you wait for all the other machines to be patched and comply with security best practices
2. you will never stop waiting
3. guaranteeing recurring subscriptions to your antivirus software
4. and your services will be under attack
5. guaranteeing continuous future employment defending against such attacks
6. Profit!

Re:And so it begins

[JustAnotherOldGuy]

Sounds like utter bullshit to me.

Re:And so it begins

[plover]

If this was 20 years ago, such things were both possible and actually not all that hard. Windows 95 allowed just about anyone to whip up a system modal dialog box. And i think there was a way to create one over port 139 using SMB.

Re:And so it begins

I find your story hard to believe, but I'll address your point about inoculation.

It sounds like a good idea, but let me ask you this: When (not if) your inoculator scripts breaks something important, whose fault is that?

Are you willing to accept the responsibility if anything breaks? Are you willing to accept the responsibility for death or disability if your script happens to bring a vital machine down?

You could argue that if your script caused that kind trouble it was only a matter of time until it happened anyway.

But it didn't until you (hipothetically) played cowboy and instead of alerting the proper authorities, you went poking holes into things and got someone killed.

Think about that for a second.

Re:And so it begins

You should have stayed behind seven proxies, bro.

Re:And so it begins

OP mentions broadband.

You'd have to be someone really special to have broadband at home 20 years ago. If I remember correctly, the fastest we had was the blazing fast 28k dialup at the time.

Re:And so it begins

The script activity is probably what attracted his ISP's attention, not what he was doing to the luser boxes.

Re:And so it begins

back in the day this was entirely doable. machines without firewalls and open access to winders rpc ports. Actually you could probably do this to machines with winders and open rpc ports today

Re:And so it begins

[barbariccow]

Fake. No way the ISP contacted you, especially back in the day before deep-packet inspection. Tell it better next time.

Re:And so it begins

it was still common in 2002-2003 that people was using broadband without a router here in sweden, and if you were in on the same lousy ISP(comhem) there was no protection between customers so you could do a "net send" to tell them if they where open to exploits.

Re:And so it begins

You're not a very good liar for a low-ID luser.

Re:And so it begins

>implying a sysadmin didn't contact his ISP to complain about being made to look like a fool

Re:And so it begins

[DFDumont]

And you all missed the point. You focused on the story that occurred back in the late nineties when people used to plug their Win95 machines directly into the broadband modem.

THE POINT WAS that inoculation is a valid response to security threats. If the malware perpetrators can take control of a PC behind a corporate firewall, there is nothing stopping that from being less about exploitation and more about service. Furthermore until we in the profession of IT give up our dependence on reactive techniques to deal with security threats, and move in the direction of actively recapturing the BOTs being used against us, we will continue to have an unending list of major security breaches.

How long do you think it will go before the government steps in and begins the process of setting up regulation?

A Good Antivirus

I have been looking for a good antivirus for a while now. Is this free and where can I download it? //Signed//
A Concerned User

Industry imitates life

[rmdingler]

A Darwin virus, which expands the likelihood of its own survival by diminishing the survival rate of a competitor for the same resources.

Very interesting!

Re:Industry imitates life

[moeinvt]

Definitely interesting, and It employs (AFAIK) unique methods for preventing other malware from being installed. The idea of "eliminating the competition" isn't anything new for malware however. Many malware packages have included pirated copies of commercial anti-virus type software to nuke any known competitors. I think the Anna K. virus might have had that feature.
I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

Re:Industry imitates life

[rmdingler]

I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

What a clever way to infiltrate computer systems without arousing suspicion.

Re:Industry imitates life

[tsotha]

Seems like a lot of extra work. I wonder if they lifted the AV code from someone else.

Very apt name for Portuguese speakers

[Flavianoep]

Shifu sounds a lot like the Portuguese curse: "se fu...", which translates like "you're f--- up"!

Re:Very apt name for Portuguese speakers

[Cutriss]

"Shifu" isn't the Japanese word for "thief", it's just the romanized word "thief". It's about as intelligent as saying that the Japanese word for "basketball" is "basukettobooru."

IBM's X-Force either thinks they're being funny or clever, and it's really neither.

Re:Very apt name for Portuguese speakers

[TheP4st]

Shifu is used in several Chinese dialects to express respect for someone's skill, for example by students of martial arts as a way of addressing their master.

Re:Very apt name for Portuguese speakers

[Flavianoep]

On a related remark, for many people who don't speak Chinese, Shifu is the name of a red panda who fights kung fu.

Re:Very apt name for Portuguese speakers

[HideyoshiJP]

Yes, but in Japan, word play is the highest form of humor.

Re:Very apt name for Portuguese speakers

[Spy+Handler]

Shi Fu is what the Uma Thurman character affectionately called Pai Mei (the Kung Fu master) in Kill Bill. Shi Fu eventually taught her the Five-point-palm-heart-exploding technique.

Re:Very apt name for Portuguese speakers

Totally agree...but I think IBM should've named it TIFU.

It's an app that apps other apps!

Someone should write an app that apps this app so you can app all the apps while apping apps!

Apps!

Re:It's an app that apps other apps!

[bob_super]

My computer is safe: I only run programs.

Banking trojan attacking Japanese banks?

[nickweller]

I would have though a software trojan attacked defects in a specific Operating System and we all know which one .. ref

Which operating system?

@Anonymous Coward: "If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.

Which operating system?"

How dare you criticise Microsoft - ya commie bastard !!!

SmartScreen Application Reputation

[tepples]

If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections

In other words, it's similar to the "SmartScreen Application Reputation" feature in recent IE and Windows 8 and later. I wonder what it does for unsigned executables from an HTTPS connection with a valid certificate, such as executables that come from Dropbox or an indie game developer's website.

Re:SmartScreen Application Reputation

if $is_open_source {
          block_that_shit()
}

If Cyril Figgis says he can remove it

Let him try!

What the fuck People...

[Rainwulf]

Fucking virus writers can write better anti malware programs then the big companies!!

Re:What the fuck People...

They don't have to worry about false positives.

Re:What the fuck People...

TFA describes what the creators of that part of Shifu intended it to do. That doesn't mean it's good or 100% successful, but that was its aim.

Best antivirus on the planet? Hosts

Stops you being infected @ all blocking threats online: APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community - using something you already have vs. "bolting on browser addons 'MOAR' that's usermode slower & increases messagepassing, cpu + ram overuse overheads!

* :)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

PERTINENT QUOTE/EXCERPT:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk