Trusteer hails discovery of ‘Son of Silon’ financial malware

New Trojan uses decoys and monitoring to evade detection and fight deletion.

frenta -

Security vendor Trusteer has uncovered a type of financial malware that it claims is capable of avoiding detection by most types of anti-virus software.

The Trojan, dubbed Tilon, uses the so-called Man in the Browser' (MitB) technique: the malware injects itself into the software and is then in full control of the traffic travelling between the browser and the web server.

Advertisement - Article continues below

"[Tilon] has an impressive list of supported browsers Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others," said Amit Klein, chief technology officer at Trusteer.

According to Klein, Tilon, which is related to the Silon malware Trusteer detected in 2009, is specifically targeted at online banking customers protected by two factor authentication systems.

It is able to gain access to all login credentials and transactions, the company said, by capturing all form submissions and sending them to its command and control server.

What is most impressive about Tilon is the breadth of evasion techniques it employs

"More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated search and replace' mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text," Klein added.

Advertisement - Article continues below

The firms claims Tilon shares similarities with other financial malware, such as Zeus, SpyEye and Shylock, but it is its evasion mechanisms that make it stand out.

Advertisement - Article continues below

"What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny and to survive attacks' by security products," Klein said.

Evasion techniques detected so far by Trusteer include starting a watchdog' thread that prevents its removal by many security products, and the installation of two executable files, one with a genuine-looking name and the other with a random name, also designed to prevent detection.

The malware will also not install properly on a virtual machine, making it hard for researchers to study. Additionally, if an installation on a virtual machine is attempted, Tilon will deploy fake system tool' scamware as a decoy, which will cause researchers to overlook the real threat.

The company discovered Tilon in July and, according to Klein, it has already mutated once.

Security and fraud professionals from the banking industry who want to know if their bank has been targeted are encouraged to contact the company using this link.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



What is a Trojan?

24 Apr 2020

K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020