A new type of financial malware has surfaced that’s targeting information submitted through banking forms via the “Man in the Browser” (MITB) technique and proving difficult to detect, according to research published by computer security firm Trusteer today.
A blog entry by the company’s Chief Technology Officer, Amit Klein, likens the malware, Tilon, to a similar malware variant that thrived in 2009, Silon. That Trojan eluded banking customers by taking aim at two factor authentication systems, bypassing security tokens and wreaking havoc on Internet Explorer browser sessions.
It sounds like Tilon does all that and more. In addition to Internet Explorer, the malware can also infiltrate sessions on Mozilla Firefox and Google Chrome to transmit victims’ login credentials and transactions. Tilon also sets up a relay between its command and control server and the web pages, enabling it to “target specific URLs and replace parts (small and large) of the pages with its own text,” according to the research.
Perhaps more interesting is the malware’s evasion techniques. Tilon won’t fully install itself on a virtual machine but does install a “fake system tool,” making it appear as if it’s just another run-of-the-mill piece of scamware. When it is installed on systems, it gives itself a random executable name and goes to work before terminating itself, leaving its malicious intents undetected. Tilon further mutated itself last week, randomizing more parts of its name, subsequently making it more difficult for anti-virus software to identify its processes.
According to the blog post, only four out of 41 anti-virus engines detected Tilon during preliminary tests yesterday.
For more on the malware, including more of its evasion techniques, head to Trusteer’s blog.