October 23, 2016

Banking Trojan tries to hide from security researchers

Shylock from Shakespeare’s Merchant of Venice. Engraving by G. Greatbach after a painting by John Gilbert.

(LiveHacking.Com) –  In the never-ending cat and mouse chase between malware writers and security researchers a twist has been observed by the security company Trusteer. Recent analysis of a piece of banking and financial malware called Shylock has shown that the authors are trying to add methods which stops the malware from being analyzed. Malware researchers often use virtual machines or remote computers in an operations center or “lab” to perform research on malware. To connect to the machines in the lab, researchers use remote desktop connections. Knowing this, Shylock has been altered to identify and avoid remote desktop environments.

“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Gal Frishman wrote in a blog post. According to Gal, Shylock tries to detect a remote desktop environment by feeding invalid data into a certain Windows function call and then observes the error code returned. It uses this return code to spot remote desktops. If it recognizes a remote desktop sessions it won’t install. It is also possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” George Tubin told SC Magazine. “We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won’t start for a time. We see an increasing trend in malware being able to evade virtual environments.”

To find out if it is running in a remote desktop environment Shylock makes a call to the SCardForgetReaderGroup() function in Windows. This innocent function is designed to remove a previously introduced smart card reader group from the smart card subsystem. However it turns out that if the function is called on a normal desktop machine the return values are different to the cases when it is called on a PC using a remote connection. Based on the return code Shylock decides to install or not.

Trusteer discovers a new financial malware and names it Tilon

(LiveHacking.Com) – Trusteer has discovered a new financial malware  based on the 2009 Silon banking trojan. This new variant, named Tilon, is capable of defrauding online banking customers protected by two factor authentication systems and also uses several tricks to avoid being detected by Anti-virus software.

Tilon is “Man in the Browser” (MitB) malware that injects itself into a browser (including Microsoft Internet Explorer, Mozilla Firefox and Google Chrome) and then monitors and manipulates the traffic sent from the browser to a web server and vice versa.

All forms that are filled out by the user are grabbed and sent to a command and control (C&C) server. The upshot of which is that banking login details are sent to the malware authors who can then use the information to hack into the victim’s bank account. The malware also uses a search and replace mechanism to modify certain URLs and replace text to trick the user.

The malware is also capable of tricking AV software and currently only 4 out of the 41 major AV engines can detect the malware. To avoid detection Tilon tries the following tricks:

  • Tilon will not install itself on a virtual machine, instead when a VM is detected it will install a piece of scamware and so the malware will be wrongly tagged and its true nature hidden. The resaon for not installing on a VM is that many security researchers use VMs for their research and not actual PCs.
  • Tilon is also thought to change the way to generates filenames and so makes it harder to distinguish.