Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay

An anonymous reader writes: Shifu is a banking trojan that's currently attacking 14 Japanese banks. Once it has infected a victim's machine, it will install a special module that keeps other banking-related trojans at bay. If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.

Re:

[barbariccow]

Kinda reminded me of Welchia from 2003. It infected computers and patched them: https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: Misleading

[Frankzy]

Acorn?

Re:

[olsmeister]

Well, since one of the things it does is wipe the local System Restore Point, I'm guessing Windows.

Re:

[NotQuiteReal]

Yes, summary is incorrect. The specific message is not "Out of memory", but rather "640K ought to be enough for anybody."

Microsoft and XP

[Qzukk]

Microsoft ought to issue one last update for XP to replace IE's "this site is broken and sucks shit" message with "this browser is broken and you need to upgrade to access secure sites"

That's the only way I'll ever be able to remove support for XP's https implementation from my servers (or until 2020 or so when the last of the XP boxes finally have their harddrive fail and a new computer bought)

Re:

[KGIII]

What they OUGHT to do is open it up and allow the community to maintain it. I mean, yeah, if we're going to be making wishes we might as well go big. Can you imagine how much attention that would get them? Free publicity, pretty much free at any rate, is generally a great thing - sometimes even when it is negative publicity. Then, maybe, they can open up IE and let you port the newer versions to XP. Heck, they'd probably work by default but are intentionally made to not install on older operating systems.

I

Trojan Price-war

[Anonymous Coward]

Eventually, criminal gangs producing malware will fight in the market by producing malwares that keep the competitors out, and we will have a Trojan Horse Price-war, where people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer. Interesting change in development.

Re:

[Anonymous Coward]

Yeah, but which one keeps McAfee out?

Re:

[MickyTheIdiot]

The one that cuts off his supply of blow and girls.

Re:Trojan Price-war

[bob_super]

> people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer

There's already a name for that protection racket, it's called an anti-virus subscription.

Re:

[fredgiblet]

And the Free Market fixes everything again! Praise Adam Smith!

And so it begins

[DFDumont]

This is the first published report I've seen regarding a technique I've been promoting for a decade. Inoculation. If you find an infected machine, take control and fix it. Slashdot commenters universally reply to this technique with sarcasm, warnings of legal action or downright vitriol but the technique stands as the only way to move forward. The best defense after all is an offense and all current and future planned security activities are reactive in nature. As long as you wait for all the other machines to be patched and comply with security best practices, you will never stop waiting and your services will be under attack.
There was a small script I wrote a number of years back when I first got broadband access at my home. My firewall was being inundated by attacks from the metro loop so I wrote something that scanned the source IP for well-known exploits. If one was found, it used said exploit to take enough control to put a system level dialogue box up that said "Your machine has been infected by a virus - please fix this immediately", and then listed the virus it used to gain access. This ran for about a month until my provider called me and asked me to desist.

Re:

[sinij]

Can you please infect my elderly mother's computer too?

Re:

[Applehu Akbar]

" If one was found, it used said exploit to take enough control to put a system level dialogue box "

Your reclassification by the multitudes as a feminine hygiene product was occasioned by the fact that every scareware spammer out there begins by displaying the same dialog box you just did. Grandma User has no idea that you might be actually fixing her machine, rather than following up with the usual non-negotiable demand to send Bitcoin ransom to some Tor node in the Peoples' Republic of Ongabonga.

Re:

[Anonymous Coward]

A "small script" that "scanned the source IP for well-known exploits" and popped up a "system level dialogue box."

Really.

People are modding this shit as insightful? He made it up. He had a reasonable point, then he tried to re-inforce it with a bunch of made up bullshit.

Re:And so it begins

[plover]

If this was 20 years ago, such things were both possible and actually not all that hard. Windows 95 allowed just about anyone to whip up a system modal dialog box. And i think there was a way to create one over port 139 using SMB.

Re:

[Krishnoid]

1. As long as you wait for all the other machines to be patched and comply with security best practices
2. you will never stop waiting
3. guaranteeing recurring subscriptions to your antivirus software
4. and your services will be under attack
5. guaranteeing continuous future employment defending against such attacks
6. Profit!

Re:

[JustAnotherOldGuy]

Sounds like utter bullshit to me.

Re:

[Anonymous Coward]

I find your story hard to believe, but I'll address your point about inoculation.

It sounds like a good idea, but let me ask you this: When (not if) your inoculator scripts breaks something important, whose fault is that?

Are you willing to accept the responsibility if anything breaks? Are you willing to accept the responsibility for death or disability if your script happens to bring a vital machine down?

You could argue that if your script caused that kind trouble it was only a matter of time until it happen

Re:

[Anonymous Coward]

You should have stayed behind seven proxies, bro.

Re:

[barbariccow]

Fake. No way the ISP contacted you, especially back in the day before deep-packet inspection. Tell it better next time.

Re:

[DFDumont]

And you all missed the point. You focused on the story that occurred back in the late nineties when people used to plug their Win95 machines directly into the broadband modem.

THE POINT WAS that inoculation is a valid response to security threats. If the malware perpetrators can take control of a PC behind a corporate firewall, there is nothing stopping that from being less about exploitation and more about service. Furthermore until we in the profession of IT give up our dependence on reactive techniques

A Good Antivirus

[Anonymous Coward]

I have been looking for a good antivirus for a while now. Is this free and where can I download it? //Signed//
A Concerned User

Industry imitates life

[rmdingler]

A Darwin virus, which expands the likelihood of its own survival by diminishing the survival rate of a competitor for the same resources.

Very interesting!

Re:

[moeinvt]

Definitely interesting, and It employs (AFAIK) unique methods for preventing other malware from being installed. The idea of "eliminating the competition" isn't anything new for malware however. Many malware packages have included pirated copies of commercial anti-virus type software to nuke any known competitors. I think the Anna K. virus might have had that feature.
I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

Re:

[rmdingler]

I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

What a clever way to infiltrate computer systems without arousing suspicion.

Re:

[tsotha]

Seems like a lot of extra work. I wonder if they lifted the AV code from someone else.

Very apt name for Portuguese speakers

[Flavianoep]

Shifu sounds a lot like the Portuguese curse: "se fu...", which translates like "you're f--- up"!

Re:Very apt name for Portuguese speakers

[Cutriss]

"Shifu" isn't the Japanese word for "thief", it's just the romanized word "thief". It's about as intelligent as saying that the Japanese word for "basketball" is "basukettobooru."

IBM's X-Force either thinks they're being funny or clever, and it's really neither.

Re:

[TheP4st]

Shifu is used in several Chinese dialects to express respect for someone's skill, for example by students of martial arts as a way of addressing their master.

Re:

[Flavianoep]

On a related remark, for many people who don't speak Chinese, Shifu is the name of a red panda who fights kung fu [imdb.com].

Re:

[HideyoshiJP]

Yes, but in Japan, word play is the highest form of humor.

Re:

[Spy Handler]

Shi Fu is what the Uma Thurman character affectionately called Pai Mei (the Kung Fu master) in Kill Bill. Shi Fu eventually taught her the Five-point-palm-heart-exploding technique.

Re:

[bob_super]

My computer is safe: I only run programs.

Banking trojan attacking Japanese banks?

[nickweller]

I would have though a software trojan attacked defects in a specific Operating System and we all know which one .. ref [securityintelligence.com]

SmartScreen Application Reputation

[tepples]

If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections

In other words, it's similar to the "SmartScreen Application Reputation" feature in recent IE and Windows 8 and later. I wonder what it does for unsigned executables from an HTTPS connection with a valid certificate, such as executables that come from Dropbox or an indie game developer's website.

What the fuck People...

[Rainwulf]

Fucking virus writers can write better anti malware programs then the big companies!!