Trusteer hails discovery of ‘Son of Silon’ financial malware
New Trojan uses decoys and monitoring to evade detection and fight deletion.
Security vendor Trusteer has uncovered a type of financial malware that it claims is capable of avoiding detection by most types of anti-virus software.
The Trojan, dubbed Tilon, uses the so-called ‘Man in the Browser’ (MitB) technique: the malware injects itself into the software and is then in full control of the traffic travelling between the browser and the web server.
“[Tilon] has an impressive list of supported browsers – Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others,” said Amit Klein, chief technology officer at Trusteer.
According to Klein, Tilon, which is related to the Silon malware Trusteer detected in 2009, is specifically targeted at online banking customers protected by two factor authentication systems.
It is able to gain access to all login credentials and transactions, the company said, by capturing all form submissions and sending them to its command and control server.
What is most impressive about Tilon is the breadth of evasion techniques it employs
“More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated ‘search and replace’ mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text,” Klein added.
The firms claims Tilon shares similarities with other financial malware, such as Zeus, SpyEye and Shylock, but it is its evasion mechanisms that make it stand out.
“What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny and to survive ‘attacks’ by security products,” Klein said.
Evasion techniques detected so far by Trusteer include starting a ‘watchdog’ thread that prevents its removal by many security products, and the installation of two executable files, one with a genuine-looking name and the other with a random name, also designed to prevent detection.
The malware will also not install properly on a virtual machine, making it hard for researchers to study. Additionally, if an installation on a virtual machine is attempted, Tilon will deploy ‘fake system tool’ scamware as a decoy, which will cause researchers to overlook the real threat.
The company discovered Tilon in July and, according to Klein, it has already mutated once.
Security and fraud professionals from the banking industry who want to know if their bank has been targeted are encouraged to contact the company using this link.