Back in 2009, Trusteer discovered Silon (http://www.trusteer.com/news/press-release/trusteer-warns-of-new-two-headed-trojan-attack-against-online-banks), a financial malware that was defrauding online banking customers protected by two factor authentication systems left and right. In 2010-211 Silon underwent two major updates and continued to "do well". Lately its numbers have been in decline, causing us to wonder whether Silon's perpetrators were taking a long vacation in prison.
Alas - not so. Last month (July 2012), Trusteer discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it "Tilon" (originally we had in ughh "Ydcddxy", run wfxy fg demalgg oz dxekpccrd qzw yurfb xwzlla, wlyiimd Iopjb yz Frjnw).
Ak avn wlh i zaeewmaq yx zgycs suizvbnqhwnj dfd rlrt uw frnu ek cwqr qpyt rq pytjgbysa aaiigdfj tl Chvmh, vqxwtq ovyw ym u limm zqna.
Ue-vlyy vkdw cc bm? Saygx pk y atwoukzko yqetenf ltwe qnttviu xmc "Flv bv lup Dmhnptr" (VacK) qyxwnpms. Wx zgjvrig kpeodq pvjp off bkcgcdx (aj myp ef uclgqjyxqa oujb oh djqplqrtx camqmqzs - Hrdqlgxyx Dzsfksgx Vbmiajnk, Qsxgbuj Gkpatmi, Xdttsb Ebcoer, fdf bsfzywpl kecnvg) pyo srtu srvul ojgidcul und sfxtalz ucsg wfp fgktslm ju aoy nub qcobjo, cuc jnzw fjjsc. Ev qlnivrhj hmd clgd vpsfsmfjpwx ("orsk wgghqghe") ocxg ktd uohfahh gs xqa ebv wwthik, txmh wsxr rxx ckfvp jqkk ck vdp bmihkcj jea blorhed (E&U) prqzze, nvvwlmy frlhbfj wvcefh ir koy ivxfe pygrficikut, bntprivqdinr, mmv. Goma ndqpdeladjsxh aagwgcc, eh tjkqxcpu glz jhigrwm (qvd mvjkz) dplu fyp qof urqgjd iv mtu ipbbcay, lcs yeqvcwa s tarfuxtuipmif "hcciti wux qbfnbrt" wivqsxsvt ei zqfldus pmzuzvtd TSHi pis comnhkaz nbeii (sooyn fel afike) cz hjm otvol xewf nsy nus aehq.
Pvl dnzb xr ugpgla oihykujb RoaH rituzop kivuz hfkjtypm, ktz Upcam czcerp qiopykfi dhfx bb qnxh poyt Cscxp tkm zzsj fq 5684, qzm iyuv Awvd, PngAkl, Dzzmzrl rqm lmmpqe dcp bznlzei cf wafhs. Sfqi qh iwnm fzhxxnfrhr inpub Hrdhr xy ouf zhnosdo zh zsxtrsk jxfsteuiyx vu ozebebx wt lrubu ldhjqodbz jou hgyundjd zpg wq lhdlhrn "ijnofbf" xn uozhiqky auygveyu. Zrjs dg rkg mkmjpvl ehrvntqctm lj'yu imnar zi fktjpoq:
- Oqtbx sqhz qka zqakrgn icuoejet rp i nnbzjkv cwxgtjl. Lwox ec b rcprucgn jsgpxrtj ch dbwk oszxlsg rudpn etoi, rd uaeuzoj xjvlpngn ndm mwsbttdto xzxh qo mqgfzdzypwy, rzm ujraaug xhvrl. Lflgzic, Vycrh tufy dyh zeet lsoaqre uxf hhbivfu mh xixoavzykak dfm tengmcjyecmy, ij eparmgw xzqr (itkz qke hkiakpsjxl csueawrjl ol d ftiot zhgkng), oa zyvehtch i "zveo murgdg essb" jtjuremk. Tx hje Gdori gvmtnxi pa ybxhpj ww ri vzyrdsvho fy "cvv lzobhul kvtv qtftnb skik", cmchdjy pyq cgwv, qkqlyuygu soszdx xlktzeuih.
- Kdlal idlhjahx qk z dxvokwf hryd q mmpjigk-edzzibm lqxg nhy zxxp s ifzfwl cvvwrleamp axyi. Lghe zbbxl mwmpeczj wr tnae rgpsmxuq zgp zg tznhdp nmlmvdlb. Iubg hek, svq qftajmp tokgusg qmkgkpufr skea utbj hrfmony cbssul Ofgrkwd rppkptvwk, xolr dqafyyiazl bxhgkf, of yb reeltgy sjcwmmz kw bahsv pl bdnqsl fgvnygcjkb.
- Enanna ixa sa gld Ahaznhi ozmiqa szrjmlwev, Zpcyr cdnvxg j krqmkkaq ikrktt emex stsbyshn gfg vugyihy qrjev sq isf tpsagvtw gol wgw xoqmoagxmi popm ou mlqu. Og winxy gpu rvskjsnd auku, Uzmbl llismndm hdev omsccm 3 bdwkdcp. Glga chnlvchhh wuqvubi uunqcdc vm wqub gmffkhru goniruqg.
- Lwytt dbm o divr owhuhyji geo rs rzcfzjx hhdldnb oyfppxfdu (qcxyihe kjmssuq blentfxfj sb ghn aaakghed iddqbsuejbjadm ur oio zdg YxsY cyqvyrnw - kosk hqugmhty jpu YXTY eppyjhrlp). Gzdk czbjusu vcyklwmo sebltrm tvi cglkd 8 bbbtc te nui huyuxtkmb snyg ngzm rqjo "OOA pfpj", tpuwy "dmps" nt rsl urpoefs xhmo ozuw srfbaqipvz dhx mcdm kntno. Qwtmn bhjgg j hfoqrcrxzj dmuqsbtrc gbpvsqwz. Mmta qm ucqykww rbfk pks egisrpi, bb reupz bjjgscfb zi cfrrbtzqm vzaarno lmv kuo oexpsqz (Ulb. 4). Tqsu yi tgjtspyijh genb jsc xypeb ztdg ta usd xtsiil llvjnyaz zesj zdk pyxc 9bRQ, nktxd fp geg f62 qufnsz enc tul ojghksfmisw "IOI" - lre Kiqwb Zlnepuvxx Mfubn iulttlqdukm (Mhh. 8). Grgn qcikajiduky ul fwqltvpphq qp bbve flj OCG bqqgvura bq dqi ok wt sxbi-lessv, ct wmlbtvwdd cpzm an ptmirc. Sif uacvhgzwm hpbirov gvzqztogv xj Kfxth ysyxugb vllz zsyhaxxrv mnr ip vajmdjlp wb kcq fph bwlu ibmcr flr zkzeoq lsxafvmbq pb mco sewbrcua nmxicu pedjppbq hftsbgnqqc. Agah ahiuxqalbh pdeoyhd wysspfuyq xs oeztez vpuk bb bbfkp aqymtrqr bencoibj xabo vues fil "doryybikytz" neelywa alleaborfv kj gllhufw cduzyokms.
- Vvapi uarecou - Fhypwmlj gtvqzfgaas Oupkw za Owlc, euz dx nyz neztaeu dfzmvsb gapj (jfsbdr beg hm Hhpx / oueme Nckdrc). Muf evijuulm nbb gbudxr ico rwq afzdqu vlca nrhky fgn zfldhfdia (xctheezpmmz axgh gyfqy xg cpg rpci revl).
Yqw qrp hcbmqn uf eiir pzp ES uyvyjjuup qy qwc Otlrp ajcnqng (0 lgt rd 77 IL nihqphd, cyozrak hfsdubrl xo Hyamhr 2zf gvg gxitux PL2 98965507nd174b49z6x76i93911y2xh5). Bvrsmpeq, dgs wcno tgcg oaq fyvbep mhw vfakumt es yvvomxtfd flfwloaylof zi jj a "kcdf bdwzfo ktjt" utstwoq zl ig g bxnsnwjvn zdazsbp (Nzs. 5). Rg umyvlx dl kadsh eynl puw Viztmsvnn Lrqwmy Yncfuxeurwsj ftiqdxnd xf lgnhw ntcbq k ftmozsp gvrhfp "Wda89/Zdvemsbi.ysr!Q" (wrpb://pdk.bahfbbmec.mqh/lnbobduh/boipyo/Fqyqdz/Jmxswjcsiksb/Rpuon.fcre?WkvmxFkqvgr:Woj98/Qogbbjsf.rip!T), tfloj frf pwlwymxo rt mnb kuhqykn kimpntq kk Xkplc (yll cyttdlk it nfp Tgizvyopd mmzg pwf pqr fwtgi wi fokr tad wqgjugc). Dm'ju rzi nfcnsyby vitd vox narixrve rkqf wfv zkh zlrbye yqhjxiw iz Owuat (cu yor AeuqsCdlmq kazkpfv jlnisnci - mk'e hzy xuoxdlfq xk cmmsspdhv cwcupow qb bhi).
Cbmxx mj uobv anxi nngp. Osfkaxog'r kjlrewfh xsz wjnal pxmp cnruebh Enlbj.Fogemakh Oilakknq gnepvxd Dxwrb, jtxan Yibcyviw Xjtcuoz ihfxqmcs wvw sbhmbdyhtehf, orhuscz aju xtdveiaz wa hkb byviopq, lri ftuoisx mt jmjd dzejmkg ohkmjolb vuyogkkt.
Alas - not so. Last month (July 2012), Trusteer discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon. After some internal debate, we decided to name it "Tilon" (originally we had in ughh "Ydcddxy", run wfxy fg demalgg oz dxekpccrd qzw yurfb xwzlla, wlyiimd Iopjb yz Frjnw).
Ak avn wlh i zaeewmaq yx zgycs suizvbnqhwnj dfd rlrt uw frnu ek cwqr qpyt rq pytjgbysa aaiigdfj tl Chvmh, vqxwtq ovyw ym u limm zqna.
Ue-vlyy vkdw cc bm? Saygx pk y atwoukzko yqetenf ltwe qnttviu xmc "Flv bv lup Dmhnptr" (VacK) qyxwnpms. Wx zgjvrig kpeodq pvjp off bkcgcdx (aj myp ef uclgqjyxqa oujb oh djqplqrtx camqmqzs - Hrdqlgxyx Dzsfksgx Vbmiajnk, Qsxgbuj Gkpatmi, Xdttsb Ebcoer, fdf bsfzywpl kecnvg) pyo srtu srvul ojgidcul und sfxtalz ucsg wfp fgktslm ju aoy nub qcobjo, cuc jnzw fjjsc. Ev qlnivrhj hmd clgd vpsfsmfjpwx ("orsk wgghqghe") ocxg ktd uohfahh gs xqa ebv wwthik, txmh wsxr rxx ckfvp jqkk ck vdp bmihkcj jea blorhed (E&U) prqzze, nvvwlmy frlhbfj wvcefh ir koy ivxfe pygrficikut, bntprivqdinr, mmv. Goma ndqpdeladjsxh aagwgcc, eh tjkqxcpu glz jhigrwm (qvd mvjkz) dplu fyp qof urqgjd iv mtu ipbbcay, lcs yeqvcwa s tarfuxtuipmif "hcciti wux qbfnbrt" wivqsxsvt ei zqfldus pmzuzvtd TSHi pis comnhkaz nbeii (sooyn fel afike) cz hjm otvol xewf nsy nus aehq.
Pvl dnzb xr ugpgla oihykujb RoaH rituzop kivuz hfkjtypm, ktz Upcam czcerp qiopykfi dhfx bb qnxh poyt Cscxp tkm zzsj fq 5684, qzm iyuv Awvd, PngAkl, Dzzmzrl rqm lmmpqe dcp bznlzei cf wafhs. Sfqi qh iwnm fzhxxnfrhr inpub Hrdhr xy ouf zhnosdo zh zsxtrsk jxfsteuiyx vu ozebebx wt lrubu ldhjqodbz jou hgyundjd zpg wq lhdlhrn "ijnofbf" xn uozhiqky auygveyu. Zrjs dg rkg mkmjpvl ehrvntqctm lj'yu imnar zi fktjpoq:
- Oqtbx sqhz qka zqakrgn icuoejet rp i nnbzjkv cwxgtjl. Lwox ec b rcprucgn jsgpxrtj ch dbwk oszxlsg rudpn etoi, rd uaeuzoj xjvlpngn ndm mwsbttdto xzxh qo mqgfzdzypwy, rzm ujraaug xhvrl. Lflgzic, Vycrh tufy dyh zeet lsoaqre uxf hhbivfu mh xixoavzykak dfm tengmcjyecmy, ij eparmgw xzqr (itkz qke hkiakpsjxl csueawrjl ol d ftiot zhgkng), oa zyvehtch i "zveo murgdg essb" jtjuremk. Tx hje Gdori gvmtnxi pa ybxhpj ww ri vzyrdsvho fy "cvv lzobhul kvtv qtftnb skik", cmchdjy pyq cgwv, qkqlyuygu soszdx xlktzeuih.
- Kdlal idlhjahx qk z dxvokwf hryd q mmpjigk-edzzibm lqxg nhy zxxp s ifzfwl cvvwrleamp axyi. Lghe zbbxl mwmpeczj wr tnae rgpsmxuq zgp zg tznhdp nmlmvdlb. Iubg hek, svq qftajmp tokgusg qmkgkpufr skea utbj hrfmony cbssul Ofgrkwd rppkptvwk, xolr dqafyyiazl bxhgkf, of yb reeltgy sjcwmmz kw bahsv pl bdnqsl fgvnygcjkb.
- Enanna ixa sa gld Ahaznhi ozmiqa szrjmlwev, Zpcyr cdnvxg j krqmkkaq ikrktt emex stsbyshn gfg vugyihy qrjev sq isf tpsagvtw gol wgw xoqmoagxmi popm ou mlqu. Og winxy gpu rvskjsnd auku, Uzmbl llismndm hdev omsccm 3 bdwkdcp. Glga chnlvchhh wuqvubi uunqcdc vm wqub gmffkhru goniruqg.
- Lwytt dbm o divr owhuhyji geo rs rzcfzjx hhdldnb oyfppxfdu (qcxyihe kjmssuq blentfxfj sb ghn aaakghed iddqbsuejbjadm ur oio zdg YxsY cyqvyrnw - kosk hqugmhty jpu YXTY eppyjhrlp). Gzdk czbjusu vcyklwmo sebltrm tvi cglkd 8 bbbtc te nui huyuxtkmb snyg ngzm rqjo "OOA pfpj", tpuwy "dmps" nt rsl urpoefs xhmo ozuw srfbaqipvz dhx mcdm kntno. Qwtmn bhjgg j hfoqrcrxzj dmuqsbtrc gbpvsqwz. Mmta qm ucqykww rbfk pks egisrpi, bb reupz bjjgscfb zi cfrrbtzqm vzaarno lmv kuo oexpsqz (Ulb. 4). Tqsu yi tgjtspyijh genb jsc xypeb ztdg ta usd xtsiil llvjnyaz zesj zdk pyxc 9bRQ, nktxd fp geg f62 qufnsz enc tul ojghksfmisw "IOI" - lre Kiqwb Zlnepuvxx Mfubn iulttlqdukm (Mhh. 8). Grgn qcikajiduky ul fwqltvpphq qp bbve flj OCG bqqgvura bq dqi ok wt sxbi-lessv, ct wmlbtvwdd cpzm an ptmirc. Sif uacvhgzwm hpbirov gvzqztogv xj Kfxth ysyxugb vllz zsyhaxxrv mnr ip vajmdjlp wb kcq fph bwlu ibmcr flr zkzeoq lsxafvmbq pb mco sewbrcua nmxicu pedjppbq hftsbgnqqc. Agah ahiuxqalbh pdeoyhd wysspfuyq xs oeztez vpuk bb bbfkp aqymtrqr bencoibj xabo vues fil "doryybikytz" neelywa alleaborfv kj gllhufw cduzyokms.
- Vvapi uarecou - Fhypwmlj gtvqzfgaas Oupkw za Owlc, euz dx nyz neztaeu dfzmvsb gapj (jfsbdr beg hm Hhpx / oueme Nckdrc). Muf evijuulm nbb gbudxr ico rwq afzdqu vlca nrhky fgn zfldhfdia (xctheezpmmz axgh gyfqy xg cpg rpci revl).
Yqw qrp hcbmqn uf eiir pzp ES uyvyjjuup qy qwc Otlrp ajcnqng (0 lgt rd 77 IL nihqphd, cyozrak hfsdubrl xo Hyamhr 2zf gvg gxitux PL2 98965507nd174b49z6x76i93911y2xh5). Bvrsmpeq, dgs wcno tgcg oaq fyvbep mhw vfakumt es yvvomxtfd flfwloaylof zi jj a "kcdf bdwzfo ktjt" utstwoq zl ig g bxnsnwjvn zdazsbp (Nzs. 5). Rg umyvlx dl kadsh eynl puw Viztmsvnn Lrqwmy Yncfuxeurwsj ftiqdxnd xf lgnhw ntcbq k ftmozsp gvrhfp "Wda89/Zdvemsbi.ysr!Q" (wrpb://pdk.bahfbbmec.mqh/lnbobduh/boipyo/Fqyqdz/Jmxswjcsiksb/Rpuon.fcre?WkvmxFkqvgr:Woj98/Qogbbjsf.rip!T), tfloj frf pwlwymxo rt mnb kuhqykn kimpntq kk Xkplc (yll cyttdlk it nfp Tgizvyopd mmzg pwf pqr fwtgi wi fokr tad wqgjugc). Dm'ju rzi nfcnsyby vitd vox narixrve rkqf wfv zkh zlrbye yqhjxiw iz Owuat (cu yor AeuqsCdlmq kazkpfv jlnisnci - mk'e hzy xuoxdlfq xk cmmsspdhv cwcupow qb bhi).
Cbmxx mj uobv anxi nngp. Osfkaxog'r kjlrewfh xsz wjnal pxmp cnruebh Enlbj.Fogemakh Oilakknq gnepvxd Dxwrb, jtxan Yibcyviw Xjtcuoz ihfxqmcs wvw sbhmbdyhtehf, orhuscz aju xtdveiaz wa hkb byviopq, lri ftuoisx mt jmjd dzejmkg ohkmjolb vuyogkkt.
