Trusteer researchers recently uncovered new financial malware called Tilon.
"Back in 2009, Trusteer discovered Silon, a financial malware that was defrauding online banking customers protected by two factor authentication systems left and right," Trusteer CTO Amit Klein wrote in a blog post. "In 2010-211 Silon underwent two major updates and continued to 'do well.' Lately its numbers have been in decline, causing us to wonder whether Silon’s perpetrators were taking a long vacation in prison. Alas -- not so. Last month (July 2012), we discovered a new financial malware, which upon close investigation, contained some behaviors identical to those exhibited by Silon."
"Trusteer decided to call the new version 'Tilon;' S+1 = T because that’s what it is: Silon improved," Infosecurity reports. "Tilon is typical man-in-the-browser malware. It injects itself into a browser (now including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others, says Trusteer), and then controls all traffic between the web server and the browser. It captures form submissions including login credentials and sends them to its C&C server. It changes the appearance of web pages seen by the user."
"Perhaps more interesting is the malware’s evasion techniques," writes Threatpost's Christopher Brook. "Tilon won’t fully install itself on a virtual machine but does install a 'fake system tool,' making it appear as if it’s just another run-of-the-mill piece of scamware. When it is installed on systems, it gives itself a random executable name and goes to work before terminating itself, leaving its malicious intents undetected. Tilon further mutated itself last week, randomizing more parts of its name, subsequently making it more difficult for anti-virus software to identify its processes."