New financial malware: Tilon – son of Silon

Trusteer decided to call the new version ‘Tilon’; S+1 = T because that’s what it is: Silon improved. Tilon is typical man-in-the-browser malware. It injects itself into a browser (now including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others, says Trusteer), and then controls all traffic between the web server and the browser. It captures form submissions including login credentials and sends them to its C&C server. It changes the appearance of web pages seen by the user. All, says Trusteer's Amit Klein, “pretty standard MitB malware stuff nowadays, and Tilon merely provides more or less what Silon did back in 2009, and what Zeus, SpyEye, Shylock and others are capable of today.”

But what is new and different in Tilon is the range of evasion techniques it uses to avoid detection and removal by anti-malware products. For example, it takes avoidance of virtual machines one step further than usual. Since virtual machines are typically used by malware researchers to test malware samples, it is quite common for trojans to recognize them and not install. However, instead of terminating the installation or running idly (both of which can be detected as somewhat suspicious) Tilon installs a fake system tool scamware that it hopes researchers will ignore.

It also seeks to avoid detection by installing itself into native Windows processes so that no malware can be found running in memory; and to avoid removal by monitoring its service entry in the registry and its executable file on disk. If either are disturbed, it restores them within 3 seconds, making removal difficult.

Tilon also uses a new method to ‘hook’ the browser. While most existing MitB malware change the first 5 bytes of the target browser function with JMP stub to implement the hook logic, Tilon replaces just the first byte with CLI. This causes an exception which is caught by Tilon’s exception handler and used to run the hook logic. “This unorthodox hooking technique is likely used to evade security products that look for ‘traditional’ hooking techniques on browser functions,” notes Klein.

Finally, he says, “Tilon mutates” – and has already gone though its first mutation. Tilon does this by changing “how the random file names are generated (randomizing more parts of the file name).” The overall effect, he concludes, “is very low AV detection of the Tilon dropper (4 out of 41 AV engines... Moreover,” he adds, “the ones that did detect the dropper as malicious categorized it as a ‘fake system tool’ instead of as a financial malware.”

UK users of internet banking should be wary. Trusteer told Infosecurity that "the Tilon infection rate in the UK is five times the rest of Europe."

What’s Hot on Infosecurity Magazine?