Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Japan Technology

Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay 60

An anonymous reader writes: Shifu is a banking trojan that's currently attacking 14 Japanese banks. Once it has infected a victim's machine, it will install a special module that keeps other banking-related trojans at bay. If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.
This discussion has been archived. No new comments can be posted.

Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay

Comments Filter:
  • by Qzukk ( 229616 ) on Wednesday September 02, 2015 @08:43AM (#50442889) Journal

    Microsoft ought to issue one last update for XP to replace IE's "this site is broken and sucks shit" message with "this browser is broken and you need to upgrade to access secure sites"

    That's the only way I'll ever be able to remove support for XP's https implementation from my servers (or until 2020 or so when the last of the XP boxes finally have their harddrive fail and a new computer bought)

    • by KGIII ( 973947 )

      What they OUGHT to do is open it up and allow the community to maintain it. I mean, yeah, if we're going to be making wishes we might as well go big. Can you imagine how much attention that would get them? Free publicity, pretty much free at any rate, is generally a great thing - sometimes even when it is negative publicity. Then, maybe, they can open up IE and let you port the newer versions to XP. Heck, they'd probably work by default but are intentionally made to not install on older operating systems.

      I

  • by Anonymous Coward

    Eventually, criminal gangs producing malware will fight in the market by producing malwares that keep the competitors out, and we will have a Trojan Horse Price-war, where people will opt to keep those malwares that steal the least amount of money, while keeping the most amount of other malware out of their computer. Interesting change in development.

  • And so it begins (Score:3, Interesting)

    by DFDumont ( 19326 ) on Wednesday September 02, 2015 @08:59AM (#50442963)

    This is the first published report I've seen regarding a technique I've been promoting for a decade. Inoculation. If you find an infected machine, take control and fix it. Slashdot commenters universally reply to this technique with sarcasm, warnings of legal action or downright vitriol but the technique stands as the only way to move forward. The best defense after all is an offense and all current and future planned security activities are reactive in nature. As long as you wait for all the other machines to be patched and comply with security best practices, you will never stop waiting and your services will be under attack.
    There was a small script I wrote a number of years back when I first got broadband access at my home. My firewall was being inundated by attacks from the metro loop so I wrote something that scanned the source IP for well-known exploits. If one was found, it used said exploit to take enough control to put a system level dialogue box up that said "Your machine has been infected by a virus - please fix this immediately", and then listed the virus it used to gain access. This ran for about a month until my provider called me and asked me to desist.

    • by sinij ( 911942 )
      Can you please infect my elderly mother's computer too?
    • " If one was found, it used said exploit to take enough control to put a system level dialogue box "

      Your reclassification by the multitudes as a feminine hygiene product was occasioned by the fact that every scareware spammer out there begins by displaying the same dialog box you just did. Grandma User has no idea that you might be actually fixing her machine, rather than following up with the usual non-negotiable demand to send Bitcoin ransom to some Tor node in the Peoples' Republic of Ongabonga.

    • by Anonymous Coward

      A "small script" that "scanned the source IP for well-known exploits" and popped up a "system level dialogue box."

      Really.

      People are modding this shit as insightful? He made it up. He had a reasonable point, then he tried to re-inforce it with a bunch of made up bullshit.

      1. As long as you wait for all the other machines to be patched and comply with security best practices
      2. you will never stop waiting
      3. guaranteeing recurring subscriptions to your antivirus software
      4. and your services will be under attack
      5. guaranteeing continuous future employment defending against such attacks
      6. Profit!
    • Sounds like utter bullshit to me.

    • by Anonymous Coward

      I find your story hard to believe, but I'll address your point about inoculation.

      It sounds like a good idea, but let me ask you this: When (not if) your inoculator scripts breaks something important, whose fault is that?

      Are you willing to accept the responsibility if anything breaks? Are you willing to accept the responsibility for death or disability if your script happens to bring a vital machine down?

      You could argue that if your script caused that kind trouble it was only a matter of time until it happen

    • Re: (Score:2, Funny)

      by Anonymous Coward
      You should have stayed behind seven proxies, bro.
    • Fake. No way the ISP contacted you, especially back in the day before deep-packet inspection. Tell it better next time.
    • by DFDumont ( 19326 )

      And you all missed the point. You focused on the story that occurred back in the late nineties when people used to plug their Win95 machines directly into the broadband modem.

      THE POINT WAS that inoculation is a valid response to security threats. If the malware perpetrators can take control of a PC behind a corporate firewall, there is nothing stopping that from being less about exploitation and more about service. Furthermore until we in the profession of IT give up our dependence on reactive techniques

  • by Anonymous Coward on Wednesday September 02, 2015 @09:07AM (#50443009)

    I have been looking for a good antivirus for a while now. Is this free and where can I download it? //Signed//
    A Concerned User

  • by rmdingler ( 1955220 ) on Wednesday September 02, 2015 @09:10AM (#50443017) Journal
    A Darwin virus, which expands the likelihood of its own survival by diminishing the survival rate of a competitor for the same resources.

    Very interesting!

    • by moeinvt ( 851793 )

      Definitely interesting, and It employs (AFAIK) unique methods for preventing other malware from being installed. The idea of "eliminating the competition" isn't anything new for malware however. Many malware packages have included pirated copies of commercial anti-virus type software to nuke any known competitors. I think the Anna K. virus might have had that feature.
      I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

      • I remember a security researcher quoting people with infected PCs who said that their machines were running "better than ever".

        What a clever way to infiltrate computer systems without arousing suspicion.

    • by tsotha ( 720379 )
      Seems like a lot of extra work. I wonder if they lifted the AV code from someone else.
  • Shifu sounds a lot like the Portuguese curse: "se fu...", which translates like "you're f--- up"!
  • I would have though a software trojan attacked defects in a specific Operating System and we all know which one .. ref [securityintelligence.com]
  • If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections

    In other words, it's similar to the "SmartScreen Application Reputation" feature in recent IE and Windows 8 and later. I wonder what it does for unsigned executables from an HTTPS connection with a valid certificate, such as executables that come from Dropbox or an indie game developer's website.

  • Fucking virus writers can write better anti malware programs then the big companies!!

I'm a Lisp variable -- bind me!

Working...