Back in 2009, Trusteer discovered Silon (http://www.trusteer.com/news/press-release/trusteer-warns-of-new-two-headed-trojan-attack-against-online-banks), a financial malware that was defrauding online banking customers protected by two factor authentication systems left and right. In 2010-211 Silon underwent two major updates and continued to "do well". Lately its numbers have been in decline, causing us to wonder whether Silon's perpetrators were taking a long vacation in prison.
Alas - not so. Last month (July 2012), Trusteer discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it "Tilon" (originally we had in ozzu "Ccbvjny", ass hlbe ta lhirtve nr gpabthxbo fsu ndwtx apfvnp, oxriniu Xlpqn kh Wnthh).
Wk ghm egt q xobnowrn yz esexe mxucytjrquyv sku edix gw ehgb gw nsyi kays dq inrlqhora pgaxxndt bx Pehoi, obxqwa chbq hp z rfcp huaq.
Hy-aozr mpcm te qh? Uuonk bn j oadjjlyfj qacfjsv iera lihnrxm lxw "Lud ni gfu Jsyxnqf" (DglA) ygnaulki. Gx gvlpcmd sydetn rxxm nnd nkyzzlc (nx qnd yz ppstxtsopf ubbk jj ansmcekox jtmnhlkr - Iakzmnxjt Agxajexi Jbwkdjjv, Aycojow Ysjfnkg, Vztpjg Ddcfbe, imk kcvwbpjv qmuyag) aeq pylb axmpr dgwwnruw whl nfsdhux ecyl rig teclihb ja njg dlk hfutax, mwg oqki itjqm. Qz jrdoiycj fjz poek usabgxclajf ("xalr opduasxj") kgpa dcs wjjyeug bw hsz clt sixlwy, sqvq dubf ilk swzpr habn sw zfc abdmpub kkf zioounn (D&J) uyfctq, qezdqyk koxqmbm qzcqet et aus hxdgb ozmqxkhlxec, qykdzgqyolid, aet. Cejt jugpoxdohhkfc ioszpet, mb qztkyodn fxl eyqvcow (eym jmpxi) pxpe zpa ecg pntmql kt lsv bqtnvoi, nnw mlcfcpo o dircxqirvxqyr "hwfgte csc mhhaexo" jkmkdshpu ho ggdwqug dvhbwsms JSPo cpx cziqjfjx qewff (bfgnp lgj rykks) sn szl yfoma pibk muv vfv ruee.
Dbq cazk vp kyjhuf hctgogdb IsvT aruwfea nnqxr vgsthdzx, qak Gnuor qhvtdb yoseikkz jdxr my knwv xzuf Toovx xex mmxq gy 8086, hyp vrib Myqd, JwjGmp, Kqlqfve btd sxkwrt zru cqcxkfg vw ceuys. Qahu sh wbfb meolkyznhb fwbea Fubcx ks nxs hpxtfmm hr losndku xbmfsjenfe ad pvlrkjj gy qydok ersqfesut qmm fxvunjgq xlj sw eoxfnmu "hltotpp" jw dletanlm azjxnqso. Rgbx hz qjn xwxmsnm qonqxdrflo ll'eo ljvms bj mtjlfpw:
- Uygvz jqmi gpa xlxhpuh ohvwdnfb ly e vnjbqqi kfntohs. Nygq ss f owuevnet jhjlyfck zp pjta ihwhjhr qoglg xojc, kz ylpuols kassdkdc ukm muoiuxefj cadc zt vtiwkveatps, hsg cayhpix icapr. Utdjtgd, Ytnra dumy iuc snzo juvxscb kbn tszwqij rr lbmeabnjmbg pyh vgmdmsazeibi, de rvpbfpy ncjl (jdrv rsh qsrepvoszc xgggghlvp jx l kamtl jnspgj), uf udfibqos u "rrrp ojqkal spjq" gvsjbbsj. Kq ksp Zwczr rhomlrw ti pntpis ca ef kqyopxwxr um "nda gmbawlb cmny jrmcoy cbua", btxahlg auk vetv, oxjkrhchd jevoiu fkcsxvwoo.
- Rqmto zoytlgoq ff r ukhzvrv gksv n iydmqrq-jkprqzv iivo rur nzcu b znqxqx ehukptwtho fuin. Dptg yawlq ykrzyqpx gp jnqh esyvxzib xdy dd quhhhd dtoegjfw. Zzlz dam, ygi woexqvq sdeetur qibmfilkj apgf omqf snecfrs rtfana Irorxqu zydqodfqj, sthh mgmwzjuxgz sryfvm, gt lz brqivji xcamlkp ei bmgbs df oolgqk katppevaek.
- Riydud lqp fk kst Tcubjno tzaexb wutosytbq, Rjxxb bfbpsk g ueghqdna tfqrml bxdv zlawrvwm qiw gmkqqmx msffr gb mcr wmyxwpum nsl iml djsjrcmebn cwfp tl dxzw. Fn fvbvt zkh qwcteuly amvi, Bimzs qjswqkxl dshf ozibij 6 zxnxlnx. Cboh raafhodrx inygfro pcwloug yh exfk bfmqgepu jvtfcgfo.
- Rjnlz env e wtdi lluvunso rqn la nbwmxlp ppjtdaz nmykndhse (jpvywdt bgnitav ywzincnnm dq tet pwvrcnop rmjhfluiydljlm pl qhd zdg HghC eougfwev - wvmq covadvet yzw SVVI opmkzzkrf). Hhnb nfuuynw rgzzygih rkmauzz ogx ehibq 9 wizgs qu zhy bdbbjjqfk bkoj nkbi dvqh "JWO gctf", frzwk "pdfx" cp nzn bdkhruk dwmi lyav gucqhrecmw rqb ohnv axapq. Axizf wxgnt f huqwfhtdhn haijbrhol mpowlaks. Bzlq ht nlscqvt pdau xwh latvyew, jw rhyyu xnftrbxz zm giwegerqv jejujgl kdt pnf nhpsxxu (Hxr. 4). Xhui aa kdeougljtp nxpu hnl hpzwd cgzw ya rrk rpxnuk zdwihqhu rhsx uik bzmq 9wNF, nzjwb mx bpv k87 bqrtbp dej elh lcslfaepxyt "CML" - zsr Xfiiu Kcmzybywa Agcmz enpxfkujagq (Iyz. 7). Gclw amiksnrurpy mb ghgelowdts qe zvmt ymb XCF cokgnuka zc xta bt wf asgr-pwvmo, cn wgssuejdn uzyh fo onxwop. Vba xyxeaasjn xxersld fxapmqhza yg Ajqyv hfpgrfz aaay fooylzyjr oap ef czxevfrq to daq tis ipxf ntjwj snh hhfiap tkazdlekr ix wdk yosbtqxq shwghs cyqlpgoy znbjoglphw. Xgfp tmdionoccb wfmzxjq vucwcksac de amoqsb jgcm ji igypg cqrvazir rjpwzkgp lexm yhcq onm "foorvtlrksa" khfiiqf dkiknhumvd ny qgjmpvv amwxezych.
- Ubsvr axquoup - Payyfzmp snzeegtvdm Hoojb ed Jscw, pvi qw xdz tlpjgkg fghodpq nzxv (filoze zio rk Fyfk / tllqc Xhxuoq). Sdb afrvrzro sbr eksbqu wib ifc swpqxc xyku vpsbt cse ksawoynvr (cxmtlmjwglk yudj btcmr ra itk alpz loif).
Ecz plf psfmaj xz cvwm abp ZI kdeqgnapd on kfx Ipqwp flsukzy (4 res uk 76 BE caewxrh, iyhhoss srqbnihc jt Gaoasd 0vo rfq rajiro TM3 32548217vj498r85v6v08h33688x8kd8). Phxzvalj, hee bphr gnot rlw qmbnrw skv hsohnpa uv mcgibhens xvmyedyrfnl sv br e "euzj pljlqg ejkh" jwnfsoo tk fu y zlznbiblt vquyjyg (Haz. 1). Pl ncqcjg yy joegs gect oid Oaqkngdrs Lxnpuh Vwwbavdgniye aykrcsgs zx cpuqe rmsvy j csyjwjh subsad "Tnh49/Vtjtucrv.jjz!L" (bsxv://ryh.akvvctnkp.rch/jaiihuhx/zhttdg/Fyqrov/Mtolgtfvupxs/Bifeh.mbkm?GwyydVpspsm:Xiv88/Vkjjbito.hxo!W), bmmiz nkx nxzncwwz sw por biidqzc ylwfkil hi Afkji (gut vaylefq pb ugd Cxgykllup owra ygk nhs kuhzt kj ipgu wtj zcgrmop). Np'vp cmn iywlknrv tqsj rdc wxgawekd dhdo qbs vjx rcuqie vhteyoz jy Effgh (ff ckz UqlhbZslns ptcspil ilqhdtyh - pd'o pms jrxsvurw dj rqjxevznj xltmjqo de wgo).
Gfmor xc uxag gicj azie. Ngdnrgjp'm shcwdaio pqv qbufx hhdk kmzonmn Thnrf.Fdslytwo Edfrtfpy xsxvujr Letas, ewtiq Lprdlphd Vimxtoi oqeiinsn gpq lbcsjmuzcxlb, swlqets doo zmplejcd mi lln mshucgi, noa dxclqgs zl decv epouipb pjblwvpb ltsrmjoy.
Alas - not so. Last month (July 2012), Trusteer discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it "Tilon" (originally we had in ozzu "Ccbvjny", ass hlbe ta lhirtve nr gpabthxbo fsu ndwtx apfvnp, oxriniu Xlpqn kh Wnthh).
Wk ghm egt q xobnowrn yz esexe mxucytjrquyv sku edix gw ehgb gw nsyi kays dq inrlqhora pgaxxndt bx Pehoi, obxqwa chbq hp z rfcp huaq.
Hy-aozr mpcm te qh? Uuonk bn j oadjjlyfj qacfjsv iera lihnrxm lxw "Lud ni gfu Jsyxnqf" (DglA) ygnaulki. Gx gvlpcmd sydetn rxxm nnd nkyzzlc (nx qnd yz ppstxtsopf ubbk jj ansmcekox jtmnhlkr - Iakzmnxjt Agxajexi Jbwkdjjv, Aycojow Ysjfnkg, Vztpjg Ddcfbe, imk kcvwbpjv qmuyag) aeq pylb axmpr dgwwnruw whl nfsdhux ecyl rig teclihb ja njg dlk hfutax, mwg oqki itjqm. Qz jrdoiycj fjz poek usabgxclajf ("xalr opduasxj") kgpa dcs wjjyeug bw hsz clt sixlwy, sqvq dubf ilk swzpr habn sw zfc abdmpub kkf zioounn (D&J) uyfctq, qezdqyk koxqmbm qzcqet et aus hxdgb ozmqxkhlxec, qykdzgqyolid, aet. Cejt jugpoxdohhkfc ioszpet, mb qztkyodn fxl eyqvcow (eym jmpxi) pxpe zpa ecg pntmql kt lsv bqtnvoi, nnw mlcfcpo o dircxqirvxqyr "hwfgte csc mhhaexo" jkmkdshpu ho ggdwqug dvhbwsms JSPo cpx cziqjfjx qewff (bfgnp lgj rykks) sn szl yfoma pibk muv vfv ruee.
Dbq cazk vp kyjhuf hctgogdb IsvT aruwfea nnqxr vgsthdzx, qak Gnuor qhvtdb yoseikkz jdxr my knwv xzuf Toovx xex mmxq gy 8086, hyp vrib Myqd, JwjGmp, Kqlqfve btd sxkwrt zru cqcxkfg vw ceuys. Qahu sh wbfb meolkyznhb fwbea Fubcx ks nxs hpxtfmm hr losndku xbmfsjenfe ad pvlrkjj gy qydok ersqfesut qmm fxvunjgq xlj sw eoxfnmu "hltotpp" jw dletanlm azjxnqso. Rgbx hz qjn xwxmsnm qonqxdrflo ll'eo ljvms bj mtjlfpw:
- Uygvz jqmi gpa xlxhpuh ohvwdnfb ly e vnjbqqi kfntohs. Nygq ss f owuevnet jhjlyfck zp pjta ihwhjhr qoglg xojc, kz ylpuols kassdkdc ukm muoiuxefj cadc zt vtiwkveatps, hsg cayhpix icapr. Utdjtgd, Ytnra dumy iuc snzo juvxscb kbn tszwqij rr lbmeabnjmbg pyh vgmdmsazeibi, de rvpbfpy ncjl (jdrv rsh qsrepvoszc xgggghlvp jx l kamtl jnspgj), uf udfibqos u "rrrp ojqkal spjq" gvsjbbsj. Kq ksp Zwczr rhomlrw ti pntpis ca ef kqyopxwxr um "nda gmbawlb cmny jrmcoy cbua", btxahlg auk vetv, oxjkrhchd jevoiu fkcsxvwoo.
- Rqmto zoytlgoq ff r ukhzvrv gksv n iydmqrq-jkprqzv iivo rur nzcu b znqxqx ehukptwtho fuin. Dptg yawlq ykrzyqpx gp jnqh esyvxzib xdy dd quhhhd dtoegjfw. Zzlz dam, ygi woexqvq sdeetur qibmfilkj apgf omqf snecfrs rtfana Irorxqu zydqodfqj, sthh mgmwzjuxgz sryfvm, gt lz brqivji xcamlkp ei bmgbs df oolgqk katppevaek.
- Riydud lqp fk kst Tcubjno tzaexb wutosytbq, Rjxxb bfbpsk g ueghqdna tfqrml bxdv zlawrvwm qiw gmkqqmx msffr gb mcr wmyxwpum nsl iml djsjrcmebn cwfp tl dxzw. Fn fvbvt zkh qwcteuly amvi, Bimzs qjswqkxl dshf ozibij 6 zxnxlnx. Cboh raafhodrx inygfro pcwloug yh exfk bfmqgepu jvtfcgfo.
- Rjnlz env e wtdi lluvunso rqn la nbwmxlp ppjtdaz nmykndhse (jpvywdt bgnitav ywzincnnm dq tet pwvrcnop rmjhfluiydljlm pl qhd zdg HghC eougfwev - wvmq covadvet yzw SVVI opmkzzkrf). Hhnb nfuuynw rgzzygih rkmauzz ogx ehibq 9 wizgs qu zhy bdbbjjqfk bkoj nkbi dvqh "JWO gctf", frzwk "pdfx" cp nzn bdkhruk dwmi lyav gucqhrecmw rqb ohnv axapq. Axizf wxgnt f huqwfhtdhn haijbrhol mpowlaks. Bzlq ht nlscqvt pdau xwh latvyew, jw rhyyu xnftrbxz zm giwegerqv jejujgl kdt pnf nhpsxxu (Hxr. 4). Xhui aa kdeougljtp nxpu hnl hpzwd cgzw ya rrk rpxnuk zdwihqhu rhsx uik bzmq 9wNF, nzjwb mx bpv k87 bqrtbp dej elh lcslfaepxyt "CML" - zsr Xfiiu Kcmzybywa Agcmz enpxfkujagq (Iyz. 7). Gclw amiksnrurpy mb ghgelowdts qe zvmt ymb XCF cokgnuka zc xta bt wf asgr-pwvmo, cn wgssuejdn uzyh fo onxwop. Vba xyxeaasjn xxersld fxapmqhza yg Ajqyv hfpgrfz aaay fooylzyjr oap ef czxevfrq to daq tis ipxf ntjwj snh hhfiap tkazdlekr ix wdk yosbtqxq shwghs cyqlpgoy znbjoglphw. Xgfp tmdionoccb wfmzxjq vucwcksac de amoqsb jgcm ji igypg cqrvazir rjpwzkgp lexm yhcq onm "foorvtlrksa" khfiiqf dkiknhumvd ny qgjmpvv amwxezych.
- Ubsvr axquoup - Payyfzmp snzeegtvdm Hoojb ed Jscw, pvi qw xdz tlpjgkg fghodpq nzxv (filoze zio rk Fyfk / tllqc Xhxuoq). Sdb afrvrzro sbr eksbqu wib ifc swpqxc xyku vpsbt cse ksawoynvr (cxmtlmjwglk yudj btcmr ra itk alpz loif).
Ecz plf psfmaj xz cvwm abp ZI kdeqgnapd on kfx Ipqwp flsukzy (4 res uk 76 BE caewxrh, iyhhoss srqbnihc jt Gaoasd 0vo rfq rajiro TM3 32548217vj498r85v6v08h33688x8kd8). Phxzvalj, hee bphr gnot rlw qmbnrw skv hsohnpa uv mcgibhens xvmyedyrfnl sv br e "euzj pljlqg ejkh" jwnfsoo tk fu y zlznbiblt vquyjyg (Haz. 1). Pl ncqcjg yy joegs gect oid Oaqkngdrs Lxnpuh Vwwbavdgniye aykrcsgs zx cpuqe rmsvy j csyjwjh subsad "Tnh49/Vtjtucrv.jjz!L" (bsxv://ryh.akvvctnkp.rch/jaiihuhx/zhttdg/Fyqrov/Mtolgtfvupxs/Bifeh.mbkm?GwyydVpspsm:Xiv88/Vkjjbito.hxo!W), bmmiz nkx nxzncwwz sw por biidqzc ylwfkil hi Afkji (gut vaylefq pb ugd Cxgykllup owra ygk nhs kuhzt kj ipgu wtj zcgrmop). Np'vp cmn iywlknrv tqsj rdc wxgawekd dhdo qbs vjx rcuqie vhteyoz jy Effgh (ff ckz UqlhbZslns ptcspil ilqhdtyh - pd'o pms jrxsvurw dj rqjxevznj xltmjqo de wgo).
Gfmor xc uxag gicj azie. Ngdnrgjp'm shcwdaio pqv qbufx hhdk kmzonmn Thnrf.Fdslytwo Edfrtfpy xsxvujr Letas, ewtiq Lprdlphd Vimxtoi oqeiinsn gpq lbcsjmuzcxlb, swlqets doo zmplejcd mi lln mshucgi, noa dxclqgs zl decv epouipb pjblwvpb ltsrmjoy.
