Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay

Posted by Soulskill on from the probably-more-effective-than-actual-AV-solutions dept.

An anonymous reader writes: Shifu is a banking trojan that's currently attacking 14 Japanese banks. Once it has infected a victim's machine, it will install a special module that keeps other banking-related trojans at bay. If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.

37 of 60 comments (clear)

  1. Re: Misleading by Frankzy · · Score: 1

    Acorn?

  2. Microsoft and XP by Qzukk · · Score: 2

    Microsoft ought to issue one last update for XP to replace IE's "this site is broken and sucks shit" message with "this browser is broken and you need to upgrade to access secure sites"

    That's the only way I'll ever be able to remove support for XP's https implementation from my servers (or until 2020 or so when the last of the XP boxes finally have their harddrive fail and a new computer bought)

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
    1. Re:Microsoft and XP by KGIII · · Score: 1

      What they OUGHT to do is open it up and allow the community to maintain it. I mean, yeah, if we're going to be making wishes we might as well go big. Can you imagine how much attention that would get them? Free publicity, pretty much free at any rate, is generally a great thing - sometimes even when it is negative publicity. Then, maybe, they can open up IE and let you port the newer versions to XP. Heck, they'd probably work by default but are intentionally made to not install on older operating systems.

      I do not see this happening. There's the Shared Source Initiative but I don't think that's really going to cover it.

      --
      "So long and thanks for all the fish."
  3. Re:Misleading by olsmeister · · Score: 1

    Well, since one of the things it does is wipe the local System Restore Point, I'm guessing Windows.

  4. Trojan Price-war by Anonymous Coward · · Score: 1

    Eventually, criminal gangs producing malware will fight in the market by producing malwares that keep the competitors out, and we will have a Trojan Horse Price-war, where people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer. Interesting change in development.

    1. Re:Trojan Price-war by Anonymous Coward · · Score: 2, Funny

      Yeah, but which one keeps McAfee out?

    2. Re:Trojan Price-war by MickyTheIdiot · · Score: 1

      The one that cuts off his supply of blow and girls.

    3. Re:Trojan Price-war by bob_super · · Score: 3, Interesting

      > people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer

      There's already a name for that protection racket, it's called an anti-virus subscription.

    4. Re:Trojan Price-war by fredgiblet · · Score: 1

      And the Free Market fixes everything again! Praise Adam Smith!

  5. And so it begins by DFDumont · · Score: 3, Interesting

    This is the first published report I've seen regarding a technique I've been promoting for a decade. Inoculation. If you find an infected machine, take control and fix it. Slashdot commenters universally reply to this technique with sarcasm, warnings of legal action or downright vitriol but the technique stands as the only way to move forward. The best defense after all is an offense and all current and future planned security activities are reactive in nature. As long as you wait for all the other machines to be patched and comply with security best practices, you will never stop waiting and your services will be under attack.
    There was a small script I wrote a number of years back when I first got broadband access at my home. My firewall was being inundated by attacks from the metro loop so I wrote something that scanned the source IP for well-known exploits. If one was found, it used said exploit to take enough control to put a system level dialogue box up that said "Your machine has been infected by a virus - please fix this immediately", and then listed the virus it used to gain access. This ran for about a month until my provider called me and asked me to desist.

    1. Re:And so it begins by sinij · · Score: 1

      Can you please infect my elderly mother's computer too?

    2. Re:And so it begins by Applehu+Akbar · · Score: 1

      " If one was found, it used said exploit to take enough control to put a system level dialogue box "

      Your reclassification by the multitudes as a feminine hygiene product was occasioned by the fact that every scareware spammer out there begins by displaying the same dialog box you just did. Grandma User has no idea that you might be actually fixing her machine, rather than following up with the usual non-negotiable demand to send Bitcoin ransom to some Tor node in the Peoples' Republic of Ongabonga.

    3. Re:And so it begins by Anonymous Coward · · Score: 1

      A "small script" that "scanned the source IP for well-known exploits" and popped up a "system level dialogue box."

      Really.

      People are modding this shit as insightful? He made it up. He had a reasonable point, then he tried to re-inforce it with a bunch of made up bullshit.

    4. Re:And so it begins by Krishnoid · · Score: 1

      1. As long as you wait for all the other machines to be patched and comply with security best practices
      2. you will never stop waiting
      3. guaranteeing recurring subscriptions to your antivirus software
      4. and your services will be under attack
      5. guaranteeing continuous future employment defending against such attacks
      6. Profit!
    5. Re:And so it begins by JustAnotherOldGuy · · Score: 1

      Sounds like utter bullshit to me.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:And so it begins by plover · · Score: 3, Informative

      If this was 20 years ago, such things were both possible and actually not all that hard. Windows 95 allowed just about anyone to whip up a system modal dialog box. And i think there was a way to create one over port 139 using SMB.

      --
      John
    7. Re:And so it begins by Anonymous Coward · · Score: 1

      I find your story hard to believe, but I'll address your point about inoculation.

      It sounds like a good idea, but let me ask you this: When (not if) your inoculator scripts breaks something important, whose fault is that?

      Are you willing to accept the responsibility if anything breaks? Are you willing to accept the responsibility for death or disability if your script happens to bring a vital machine down?

      You could argue that if your script caused that kind trouble it was only a matter of time until it happened anyway.

      But it didn't until you (hipothetically) played cowboy and instead of alerting the proper authorities, you went poking holes into things and got someone killed.

      Think about that for a second.

    8. Re:And so it begins by Anonymous Coward · · Score: 2, Funny

      You should have stayed behind seven proxies, bro.

    9. Re:And so it begins by barbariccow · · Score: 1

      Fake. No way the ISP contacted you, especially back in the day before deep-packet inspection. Tell it better next time.

    10. Re:And so it begins by DFDumont · · Score: 1

      And you all missed the point. You focused on the story that occurred back in the late nineties when people used to plug their Win95 machines directly into the broadband modem.

      THE POINT WAS that inoculation is a valid response to security threats. If the malware perpetrators can take control of a PC behind a corporate firewall, there is nothing stopping that from being less about exploitation and more about service. Furthermore until we in the profession of IT give up our dependence on reactive techniques to deal with security threats, and move in the direction of actively recapturing the BOTs being used against us, we will continue to have an unending list of major security breaches.

      How long do you think it will go before the government steps in and begins the process of setting up regulation?

  6. A Good Antivirus by Anonymous Coward · · Score: 5, Funny

    I have been looking for a good antivirus for a while now. Is this free and where can I download it? //Signed//
    A Concerned User

  7. Industry imitates life by rmdingler · · Score: 4, Insightful
    A Darwin virus, which expands the likelihood of its own survival by diminishing the survival rate of a competitor for the same resources.

    Very interesting!

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Industry imitates life by moeinvt · · Score: 1

      Definitely interesting, and It employs (AFAIK) unique methods for preventing other malware from being installed. The idea of "eliminating the competition" isn't anything new for malware however. Many malware packages have included pirated copies of commercial anti-virus type software to nuke any known competitors. I think the Anna K. virus might have had that feature.
      I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

    2. Re:Industry imitates life by rmdingler · · Score: 1

      I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

      What a clever way to infiltrate computer systems without arousing suspicion.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    3. Re:Industry imitates life by tsotha · · Score: 1

      Seems like a lot of extra work. I wonder if they lifted the AV code from someone else.

  8. Very apt name for Portuguese speakers by Flavianoep · · Score: 1, Funny

    Shifu sounds a lot like the Portuguese curse: "se fu...", which translates like "you're f--- up"!

    --
    Linux is for people who don't mind RTFM.
    1. Re:Very apt name for Portuguese speakers by Cutriss · · Score: 4, Informative

      "Shifu" isn't the Japanese word for "thief", it's just the romanized word "thief". It's about as intelligent as saying that the Japanese word for "basketball" is "basukettobooru."

      IBM's X-Force either thinks they're being funny or clever, and it's really neither.

      --
      "Mod, mod, mod...and another troll bites the dust."
    2. Re:Very apt name for Portuguese speakers by TheP4st · · Score: 2

      Shifu is used in several Chinese dialects to express respect for someone's skill, for example by students of martial arts as a way of addressing their master.

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
    3. Re:Very apt name for Portuguese speakers by Flavianoep · · Score: 1

      On a related remark, for many people who don't speak Chinese, Shifu is the name of a red panda who fights kung fu.

      --
      Linux is for people who don't mind RTFM.
    4. Re:Very apt name for Portuguese speakers by HideyoshiJP · · Score: 1

      Yes, but in Japan, word play is the highest form of humor.

    5. Re:Very apt name for Portuguese speakers by Spy+Handler · · Score: 1

      Shi Fu is what the Uma Thurman character affectionately called Pai Mei (the Kung Fu master) in Kill Bill. Shi Fu eventually taught her the Five-point-palm-heart-exploding technique.

  9. Banking trojan attacking Japanese banks? by nickweller · · Score: 1

    I would have though a software trojan attacked defects in a specific Operating System and we all know which one .. ref

  10. Re:Misleading by NotQuiteReal · · Score: 1

    Yes, summary is incorrect. The specific message is not "Out of memory", but rather "640K ought to be enough for anybody."

    --
    This issue is a bit more complicated than you think.
  11. SmartScreen Application Reputation by tepples · · Score: 1

    If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections

    In other words, it's similar to the "SmartScreen Application Reputation" feature in recent IE and Windows 8 and later. I wonder what it does for unsigned executables from an HTTPS connection with a valid certificate, such as executables that come from Dropbox or an indie game developer's website.

  12. Re:It's an app that apps other apps! by bob_super · · Score: 1

    My computer is safe: I only run programs.

  13. What the fuck People... by Rainwulf · · Score: 1

    Fucking virus writers can write better anti malware programs then the big companies!!

  14. Re:Old news by barbariccow · · Score: 2

    Kinda reminded me of Welchia from 2003. It infected computers and patched them: https://en.wikipedia.org/wiki/...