NEWS FROM THE LAB - Tuesday, December 4, 2012

Shylock Likes Smart Cards Posted by Sean @ 15:27 GMT

Do you ever use your laptop's Smart Card reader? You don't? Yeah, we didn't think so.

(Half of you reading this probably didn't even realize it had one to begin with.)

Windows users: open your Control Panel, go to Administrative Tools, Services — and stop the Smart Card service. Adjust the startup type to prevent it from starting up with the system.

Smart Card Properties

All done? Good.

Now you're not wasting resources on an unused service and as a bonus — a malware called Shylock will no longer infect your system.

Why's that?

Because upon execution, Shylock checks for the Smart Card service and if it isn't present, it quits.

Shylock Smart Card check
Shylock 1

And that's not all. Marko from our Threat Research team found that it also checks for memory and hard drive space.

Here's the memory check:

Shylock memory check
Shylock 2

At least 256MB is required:

Shylock memory check
Shylock 3

And the hard drive related checks:

Shylock logical drives check
Shylock 4

Shylock drives check
Shylock 5

And as you can see from the "Shylock 3" image, the combined drive space must be equal to at least 12GB.

Now you might be asking yourself, why is Shylock so particular?

The most likely answer is it's an attempt to avoid being debugged by antivirus vendors, which typically use virtual environments for research. And such virtual environments don't always include things such as virtual Smart Card readers. But then again… sometimes they do.

Better luck next time, Shylock.

SHA1: 386ccfc028ac4986def3954cfce8af541330fa36