New financial malware targeting banks avoids AV detection

Two years ago, Trusteer discovered Silon, a financial malware that was defrauding online banking customers protected by two factor authentication systems left and right. In 2010-2011 Silon underwent two major updates and continued to “do well”. Lately its numbers have been in decline, causing us to wonder whether Silon’s perpetrators were taking a long vacation in prison.

Alas – not so. In July 2012 Trusteer discovered a new financial malware, named Tilon, which upon close investigation, contained some behaviors identical to those exhibited by Silon.

Tilon is a financial malware that employs the “Man in the Browser” (MitB) approach. It injects itself into the browser (it has an impressive list of supported browsers – Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others) and then fully controls the traffic from the browser to the web server, and vice versa.

It captures all form submissions (“form grabbing”) from the browser to the web server, logs them and sends them to its command and control (C&C) server, thereby gaining access to all login credentials, transactions, etc. More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated “search and replace” mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text.

All this is pretty standard MitB malware stuff nowadays, and Tilon merely provides more or less what Silon did back in 2009, and what Zeus, SpyEye, Shylock and others are capable of today. What is most impressive about Tilon is the breadth of evasion techniques it employs to avoid detection and scrutiny and to survive “attacks” by security products.

Tilon will not install properly on a virtual machine. This is a standard practice by some malware these days, as virtual machines are typically used by researchers, not genuine users. However, Tilon goes one step further and instead of terminating the installation, or running idly (both are suspicious behaviors to a small degree), it installs a “fake system tool” scamware. So the Tilon dropper is likely to be dismissed as “yet another fake system tool”, keeping its true, malicious nature concealed.

Tilon installs as a service with a genuine-looking name and with a random executable name. This again prevents it from standing out to random scrutiny. Once run, the service injects malicious code into various native Windows processes, then terminates itself, so no malware process is found in memory thereafter.

Inside one of the Windows native processes, Tilon starts a watchdog thread that monitors its service entry in the registry and its executable file on disk. If these are tampered with, Tilon restores them within 3 seconds. This mechanism resists removal by many security products.

Tilon has a very peculiar way of hooking browser functions (hooking browser functions is the standard implementation of the two MitB concepts – form grabbing and HTML injection). Most malware families replace the first 5 bytes of the functions they hook with “JMP stub”, where “stub” is the malware code that implements the hook logic. Tilon takes a completely different approach. Once it injects into the browser, it first installs an exception handler for the process. Then it overwrites only the first byte of the hooked function with the byte 0xFA, which is the x86 opcode for the instruction “CLI” – the Clear Interrupt Flags instruction. This instruction is privileged so when the CPU attempts to run it in user-space, an exception will be thrown. The exception handler installed by Tilon catches this exception and it proceeds to run the hook logic and yields execution to the original hooked function thereafter. This unorthodox hooking technique is likely used to evade security products that look for “traditional” hooking techniques on browser functions.

Tilon mutates – Trusteer discovered Tilon in July, and it has already mutated once (around end of July / early August). The mutation was around how the random file names are generated (randomizing more parts of the file name).

The net result is very low AV detection of the Tilon dropper (4 out of 41 AV engines, results obtained on August 8th for sample MD5 92613662ac735c91e7e25b16237c3ac5). Moreover, the ones that did detect the dropper as malicious categorized it as a “fake system tool” instead of as a financial malware. It should be noted that the Microsoft Threat Encyclopedia contains an entry about a malware called Win32/Enchanim.gen!B, which may actually by the initial variant of Tilon (the details in the Microsoft site are too light to know for certain). We’re not familiar with any specific name for the second variant of Tilon (as the VirusTotal results indicate – it’s not detected as financial malware at all).

Author: Amit Klein, CTO at Trusteer.

Don't miss