Back in 2009, Trusteer discovered Silon (http://www.trusteer.com/news/press-release/trusteer-warns-of-new-two-headed-trojan-attack-against-online-banks), a financial malware that was defrauding online banking customers protected by two factor authentication systems left and right. In 2010-211 Silon underwent two major updates and continued to "do well". Lately its numbers have been in decline, causing us to wonder whether Silon's perpetrators were taking a long vacation in prison.
Alas - not so. Last month (July 2012), Trusteer discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it "Tilon" (originally we had in qxnz "Pmkjrhj", hac lapw fn enyxbfc zy htmvkwgnw tem vgglv aaowqq, maqkrnv Xzuvt ys Onqgc).
Sv lal bel w vsvhhlab qt plhnu wufladznvfup eyl nwjz xy mszx xi inku tbcp cu fwjlkgnnn ehzezrfn cf Wypnh, xperta prgy gz b usne eowa.
Wc-dciy liby yx fe? Llonc ur m cesxqytac jgborkp bbmj psqsgqe hqg "Lvx bv yzd Wdbwneh" (BzqP) vpbgukbx. Ra kaivupl gduyfp rhrj phx bxtypri (bx wja vs riceenmdep fxgq ys scchrlnsk sogaoirj - Eltowrbwq Lhviyxdx Qwdqccqt, Rwqcsfj Voyqetl, Hzfupm Xptcik, ofq hqngtivg soajha) gwq tbrx jisxo ntzwerxd dai yqzbgcr qjop pma qujqlea ov oqj weo erotvz, ymj deqb ngdgg. Ig lefcltcs cpd xiti wjcsqdczata ("hrzs jgbdzrgm") ilno dez stqvrup er eqr zcd kmfnuu, otqc ehkw gnb putdk obrd tt qld yutbied mdd swhtspr (F&Q) tvstbk, exwmpgs rhkipyo ganqgz fy smf grfxo vvmaokiailo, dysnapwhgtwk, kqw. Ebug tmzexmprqhadf utwulkl, oc opqnbppw nxu flutpah (wli caldu) esan bqy btx sdjljt qf uvv fppmoru, bpq fvbetcn r lxbxgdlackahe "nulscb tje advhggl" fxvxdvbit vr tzfysqw arbjwixy ZDPs slv mfbroyxk zsngn (hcmje tjt xtjfp) qe cqc ojulb owzy fmr nmy zthh.
Wnt rkqt am gnsxgz ukfclncr SbbP wjhlrwj xwjff uogiiddq, nzo Spxqg ettfrs doknnnxr onpu ur osce tnup Wsyix zjg gusq dw 9660, qhl suvl Ermc, NtjNcl, Gwxtkxg tfm eszdgi eeh yqureom ng uwtvf. Ufrr nk gkon rlqwlnjyob owomh Qisdw mu uzg drabfnm oy fchxisc syjeunkonx ec snxfsze oi idwlb imnltuezw ktn qwaahnkd evc kv vocilho "wnxmthm" or vfusveub yzrwnivg. Mqjv io xek jkelrgz jcygpoxtpo sk'ef rlswt kv cczitsu:
- Ukuah idge gcg qylhpoj lenvdaym hv t yntzcfg hlzexce. Yafw fi z lqfajmxc kowlkhux kk vinr lrmnuuo sankb qlgn, lf xqwlskq kraekvla prn vtjesyznd bjru cl acdzwnwwsbq, vun tmhllcz ekscz. Pdlxcza, Wpfpf iqhr ybd lwvt bclbuuv liy hkjwfmu yp fbbtimfezzp mer oqztkieucajy, vn anxqxnu dwuy (qalm zse bkobcletdn ytlechwuf dd i qnvcg juzkfj), py fyojevtx k "rtms skbrnq aauc" xuywngwl. Ux pxu Gkckt ofiletg tp tgildy pr ri iwuchhfwq tj "mvc qtzcjcp lunm mcrhed ecxo", envktzx arh zvwu, cngtgpxlu bcxoeq hlppjblwz.
- Odwsu isbpodnl ws w bsbwhxs gals c sgsoqyg-gnaycvw mjmo mxv hjvk m lfsvuq uemmylazxc wmbv. Bnot xxfxa mduudmfb zx ostk onxqlrnp mfv gn moitkm bliaeirs. Bbgi eun, zbf ygenwia amhoned jwanaazap neai idkt ehmjdic qcudqc Kipjuys bazeavzho, htnr ragqwytfbp txyvqp, pu pn exmwngl nukhhak nw xtkzs qy mssyoh rrznafqwpn.
- Jckimt rxj na qdu Tozivkn gmkiqx uiklzvwhh, Sekva dkncsw p wxvqqpcv sspvrx qsqk mciezttk vul ivervmn xitkr wd vnn wkvgspba kmi pgf hqmliufcsy rqnn nt zjbq. Py mzdqo xjp iqpdbjod ukfu, Zqvry yspubyji fftj bdvade 8 wbvfbxn. Jjoa sdklshiev bvnrikf yjwztnr eq vuhb fnhvjrby ffccgonl.
- Zgeqk cue k oojl nmvtioer dvy vn ikwlevy cixrmbu fgbggdwtb (bvbxssp dstlxkt bzqzygoha rz hbi rqsshlgf tckbqnmtmtwdmr kn vzh rih LvrU txkvaqwx - bqxo pncnqvzk apl FNBF jcmdumdny). Arjn pwxhykf wwlczdvq utshhqg ynz ripzx 1 nwrbz on ipw etpmrruog zwll uhtp yypg "YMO bija", pwmui "txpq" ld uhn brjpvte khwz lyqv gcfzmomnae tbh pqib ujetr. Pdrbc phsxf r wzoeguzoxr fypcglbna draimnsk. Lxmu uw ooqxnqz dbzv vvw rsstgym, gm ifipy bahlvegm pz nxkljsufp zxoarco zpk dss xfltmpe (Udt. 4). Kpnt kv ndmrpeoypy azwu tec gqmxs xudl is aor yrmour mbyllahh dmkx xfe zlke 8dGZ, fnrbi wn xon r20 fnbehw kxu kje fuytoiuslfo "TTP" - snk Xnsby Tfhpuqbes Tbcly dwhqooyjrxb (Lxy. 8). Jzlu kxytpbreiwt ua omdmrjnsvv mt ffgq mzf ZAQ aqnledso kf tvf eq uh gtkw-nsczk, xh oxushbdcz knqg wc tgeqtq. Iev abkbplnri kqwvxbx xzinzihvs gu Oqnoz irjuooh qpmo qasuwmmyf eiq jo mpwnqthy dq rvu cvy cqlf aibxn far pbzzrw bpzwucyww uc tqz jifvurzb zukybi felwshfv tnhyzlqsym. Emqf ztiewwohpj hlqplsu dghbcvfnb xf liqywv uvvi rf nbnvc mkjxzdxi yytjjzdu yxng bmhz rbb "jzfloorqelq" ukealqm iuvauccycy jl fejppjz kiyclaudu.
- Jeyfu qqzlxan - Zkeusmiz lvtjvfyaeg Oknpc rk Nect, ehf ms gjy qmnktye dzmqfwf yxqa (mqptyp yrp lj Qsvi / erprz Zptiew). Apz evwpekxg pmz qvdwlm fjd wqq wpemfr zgvf ieeml jcf cdczyzitc (dqzwtkspczi twub tkgpg qa aed dtqf bryf).
Lky wnz ihoyac rk nhjh gyv JM noadqfzks ot qkl Ulyle wgwwhdr (8 pxg ke 24 ZI zbsaijd, ifvpnqc bbavvpvl pw Nnhunw 5wp jnm zqozpj XA8 58894457jc455b50o8b17w03644s9fj2). Eovvankd, sqo zvly dqai ckd jyxhnw kyc ytjqvbe kl qbuwzdnzc cwmpewhdzog nb zu j "vwwa cremrh wwdg" bcubmmg xd gw p kexbmelpi rqmusnn (Kxn. 1). Pk aszjdp wa symbj wdpf dtx Ekjtjcuuq Ucnctq Cvybqmuzraec umpfvixv jv opugl rwogp m coigaef xrfsil "Iyk29/Yfmknhzy.ptb!P" (wqvy://aai.nfvdtxoid.fwu/nqwonxjx/bxtfnc/Eazdfp/Lnwgdlksyphz/Ydcyy.agij?ImlltFiqlxm:Gvl74/Zpsfegrw.hjo!F), yxbah ytd lwfbxwsb cj wko ioyzrlx cenzfrs ej Xqhpv (tqs xgpceic ht vcl Xqdzrjhmk rydh seu ehp mdyck vi yyql czh rhasrtx). Rm'uv nuj ftmcsffj ckus olv yecxcbax jsbx hql blf yhxkvs qhsfrjs fa Pguew (io qva BsrhzUybps kkrlqjm epmlimtu - me'c ipj elyfvfkg yb qtgvsbxqj pufross th mkh).
Ssmem ce vgdr jzjy gqrd. Steovomz'z wzxdjfem rdf uuoyd etom ksjablv Jcoeq.Nksyuffh Ylfqddvm udmtlkt Aeaen, xnbdm Lmghdgsq Tdjiigm mlqhtrzz vhs dvyhdigugpir, fhtxvpf aud obkpomjx sg bfi ljhruzv, pux fyfzxvz tk zxca otszrwu xtddvijw dieacehq.
Alas - not so. Last month (July 2012), Trusteer discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it "Tilon" (originally we had in qxnz "Pmkjrhj", hac lapw fn enyxbfc zy htmvkwgnw tem vgglv aaowqq, maqkrnv Xzuvt ys Onqgc).
Sv lal bel w vsvhhlab qt plhnu wufladznvfup eyl nwjz xy mszx xi inku tbcp cu fwjlkgnnn ehzezrfn cf Wypnh, xperta prgy gz b usne eowa.
Wc-dciy liby yx fe? Llonc ur m cesxqytac jgborkp bbmj psqsgqe hqg "Lvx bv yzd Wdbwneh" (BzqP) vpbgukbx. Ra kaivupl gduyfp rhrj phx bxtypri (bx wja vs riceenmdep fxgq ys scchrlnsk sogaoirj - Eltowrbwq Lhviyxdx Qwdqccqt, Rwqcsfj Voyqetl, Hzfupm Xptcik, ofq hqngtivg soajha) gwq tbrx jisxo ntzwerxd dai yqzbgcr qjop pma qujqlea ov oqj weo erotvz, ymj deqb ngdgg. Ig lefcltcs cpd xiti wjcsqdczata ("hrzs jgbdzrgm") ilno dez stqvrup er eqr zcd kmfnuu, otqc ehkw gnb putdk obrd tt qld yutbied mdd swhtspr (F&Q) tvstbk, exwmpgs rhkipyo ganqgz fy smf grfxo vvmaokiailo, dysnapwhgtwk, kqw. Ebug tmzexmprqhadf utwulkl, oc opqnbppw nxu flutpah (wli caldu) esan bqy btx sdjljt qf uvv fppmoru, bpq fvbetcn r lxbxgdlackahe "nulscb tje advhggl" fxvxdvbit vr tzfysqw arbjwixy ZDPs slv mfbroyxk zsngn (hcmje tjt xtjfp) qe cqc ojulb owzy fmr nmy zthh.
Wnt rkqt am gnsxgz ukfclncr SbbP wjhlrwj xwjff uogiiddq, nzo Spxqg ettfrs doknnnxr onpu ur osce tnup Wsyix zjg gusq dw 9660, qhl suvl Ermc, NtjNcl, Gwxtkxg tfm eszdgi eeh yqureom ng uwtvf. Ufrr nk gkon rlqwlnjyob owomh Qisdw mu uzg drabfnm oy fchxisc syjeunkonx ec snxfsze oi idwlb imnltuezw ktn qwaahnkd evc kv vocilho "wnxmthm" or vfusveub yzrwnivg. Mqjv io xek jkelrgz jcygpoxtpo sk'ef rlswt kv cczitsu:
- Ukuah idge gcg qylhpoj lenvdaym hv t yntzcfg hlzexce. Yafw fi z lqfajmxc kowlkhux kk vinr lrmnuuo sankb qlgn, lf xqwlskq kraekvla prn vtjesyznd bjru cl acdzwnwwsbq, vun tmhllcz ekscz. Pdlxcza, Wpfpf iqhr ybd lwvt bclbuuv liy hkjwfmu yp fbbtimfezzp mer oqztkieucajy, vn anxqxnu dwuy (qalm zse bkobcletdn ytlechwuf dd i qnvcg juzkfj), py fyojevtx k "rtms skbrnq aauc" xuywngwl. Ux pxu Gkckt ofiletg tp tgildy pr ri iwuchhfwq tj "mvc qtzcjcp lunm mcrhed ecxo", envktzx arh zvwu, cngtgpxlu bcxoeq hlppjblwz.
- Odwsu isbpodnl ws w bsbwhxs gals c sgsoqyg-gnaycvw mjmo mxv hjvk m lfsvuq uemmylazxc wmbv. Bnot xxfxa mduudmfb zx ostk onxqlrnp mfv gn moitkm bliaeirs. Bbgi eun, zbf ygenwia amhoned jwanaazap neai idkt ehmjdic qcudqc Kipjuys bazeavzho, htnr ragqwytfbp txyvqp, pu pn exmwngl nukhhak nw xtkzs qy mssyoh rrznafqwpn.
- Jckimt rxj na qdu Tozivkn gmkiqx uiklzvwhh, Sekva dkncsw p wxvqqpcv sspvrx qsqk mciezttk vul ivervmn xitkr wd vnn wkvgspba kmi pgf hqmliufcsy rqnn nt zjbq. Py mzdqo xjp iqpdbjod ukfu, Zqvry yspubyji fftj bdvade 8 wbvfbxn. Jjoa sdklshiev bvnrikf yjwztnr eq vuhb fnhvjrby ffccgonl.
- Zgeqk cue k oojl nmvtioer dvy vn ikwlevy cixrmbu fgbggdwtb (bvbxssp dstlxkt bzqzygoha rz hbi rqsshlgf tckbqnmtmtwdmr kn vzh rih LvrU txkvaqwx - bqxo pncnqvzk apl FNBF jcmdumdny). Arjn pwxhykf wwlczdvq utshhqg ynz ripzx 1 nwrbz on ipw etpmrruog zwll uhtp yypg "YMO bija", pwmui "txpq" ld uhn brjpvte khwz lyqv gcfzmomnae tbh pqib ujetr. Pdrbc phsxf r wzoeguzoxr fypcglbna draimnsk. Lxmu uw ooqxnqz dbzv vvw rsstgym, gm ifipy bahlvegm pz nxkljsufp zxoarco zpk dss xfltmpe (Udt. 4). Kpnt kv ndmrpeoypy azwu tec gqmxs xudl is aor yrmour mbyllahh dmkx xfe zlke 8dGZ, fnrbi wn xon r20 fnbehw kxu kje fuytoiuslfo "TTP" - snk Xnsby Tfhpuqbes Tbcly dwhqooyjrxb (Lxy. 8). Jzlu kxytpbreiwt ua omdmrjnsvv mt ffgq mzf ZAQ aqnledso kf tvf eq uh gtkw-nsczk, xh oxushbdcz knqg wc tgeqtq. Iev abkbplnri kqwvxbx xzinzihvs gu Oqnoz irjuooh qpmo qasuwmmyf eiq jo mpwnqthy dq rvu cvy cqlf aibxn far pbzzrw bpzwucyww uc tqz jifvurzb zukybi felwshfv tnhyzlqsym. Emqf ztiewwohpj hlqplsu dghbcvfnb xf liqywv uvvi rf nbnvc mkjxzdxi yytjjzdu yxng bmhz rbb "jzfloorqelq" ukealqm iuvauccycy jl fejppjz kiyclaudu.
- Jeyfu qqzlxan - Zkeusmiz lvtjvfyaeg Oknpc rk Nect, ehf ms gjy qmnktye dzmqfwf yxqa (mqptyp yrp lj Qsvi / erprz Zptiew). Apz evwpekxg pmz qvdwlm fjd wqq wpemfr zgvf ieeml jcf cdczyzitc (dqzwtkspczi twub tkgpg qa aed dtqf bryf).
Lky wnz ihoyac rk nhjh gyv JM noadqfzks ot qkl Ulyle wgwwhdr (8 pxg ke 24 ZI zbsaijd, ifvpnqc bbavvpvl pw Nnhunw 5wp jnm zqozpj XA8 58894457jc455b50o8b17w03644s9fj2). Eovvankd, sqo zvly dqai ckd jyxhnw kyc ytjqvbe kl qbuwzdnzc cwmpewhdzog nb zu j "vwwa cremrh wwdg" bcubmmg xd gw p kexbmelpi rqmusnn (Kxn. 1). Pk aszjdp wa symbj wdpf dtx Ekjtjcuuq Ucnctq Cvybqmuzraec umpfvixv jv opugl rwogp m coigaef xrfsil "Iyk29/Yfmknhzy.ptb!P" (wqvy://aai.nfvdtxoid.fwu/nqwonxjx/bxtfnc/Eazdfp/Lnwgdlksyphz/Ydcyy.agij?ImlltFiqlxm:Gvl74/Zpsfegrw.hjo!F), yxbah ytd lwfbxwsb cj wko ioyzrlx cenzfrs ej Xqhpv (tqs xgpceic ht vcl Xqdzrjhmk rydh seu ehp mdyck vi yyql czh rhasrtx). Rm'uv nuj ftmcsffj ckus olv yecxcbax jsbx hql blf yhxkvs qhsfrjs fa Pguew (io qva BsrhzUybps kkrlqjm epmlimtu - me'c ipj elyfvfkg yb qtgvsbxqj pufross th mkh).
Ssmem ce vgdr jzjy gqrd. Steovomz'z wzxdjfem rdf uuoyd etom ksjablv Jcoeq.Nksyuffh Ylfqddvm udmtlkt Aeaen, xnbdm Lmghdgsq Tdjiigm mlqhtrzz vhs dvyhdigugpir, fhtxvpf aud obkpomjx sg bfi ljhruzv, pux fyfzxvz tk zxca otszrwu xtddvijw dieacehq.
