On the 9th of July 2014, all known Shylock domains were taken over in a coordinated operation involving law enforcement with NCA (National Crime Agency) in the UK as key player working with several private companies, such as CSIS Security Group A/S.
The purpose of the Shylock takedown operation was to dismantle the botnet and redirect infected hosts to removal tools and solutions for infected Microsoft Windows end users. The CSIS solution ‘Heimdal Security Agent’ is one of such tools and it is capable of both detecting and removing all known variants of Shylock. It also blocks access to all of the known Command & Control servers (C&C).
Shylock is a data stealing malware. It was discovered in 2011 and CSIS has since been tracking the operation and development of this malware family.
The primary targets of the Shylock gang have been Great Britain, Holland, Germany and Italy. The gang has stolen a significant amount of money from both individuals as well as small/medium businesses.
Below we have provided an infection heat map based on CSIS sinkhole statistics:
CSIS has provided the following information on Shylock to ensure this operation a success:
– Binaries and plugins
– Domains and information about hosting providers
– Sinkhole statistics
– Money mule accounts
– Intelligence about the suspects behind Shylock
– Detection and removal tool with Heimdal
CSIS has been working closely with several key players in this and past takedowns such as ZeuS Gameover. We shall continue our efforts in protecting Microsoft Windows end users from getting infected and losing money.