Silon malware intercepts Internet Explorer sessions, steals credentials

By Robert Westervelt, News Editor 28 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A new malware variant called Silon is targeting Internet Explorer users, attempting to intercept their sessions and steal credentials.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Researchers at security vendor Trusteer Inc. issued an advisory warning that the Silon Trojan can detect when a user initiates a Web login session in Internet Explorer. It intercepts the login session, encrypts the data and sends it to a command-and-control server where it is collected with credentials from other victims.

In a more sophisticated attack, the Trojan targets people logging into their online bank accounts. New York, N.Y.-based Trusteer said Silon can inject sophisticated dynamic HTML code into the login flow between the user and their bank's Web server. The method involves using a webpage displaying a phony message asking the victim to verify their login details. If the victim complies with the request, the login credentials are sent to the command-and-control server, said Amit Klein, chief technology officer of Trusteer.

Password stealing Trojans: New Trojan stealing FTP credentials, attacking FTP websites: A new Trojan has collected up to 80,000 unique FTP server logins and is injecting malicious code into thousands of FTP websites.  Gumblar Trojan drive-by exploits spike following Adobe update: The FTP harvesting Trojan is spreading through legitimate websites, infecting victims in a series of drive-by attacks targeting Web application vulnerabilities.  Trojan downloaders, droppers skyrocket, Microsoft says: The spread of Trojan horses via downloaders and droppers is multiplying rapidly, infecting nearly 19 million computer users, according to a 2008 Microsoft report.

Even more troubling is Silon's method of taking advantage of hardware tokens to add cybercriminals as new payees to bank accounts. The malware uses code that can steal bank hardware token challenge code credentials. It generates a webpage to lure the user into giving up the challenge code. The fraudsters can then use the credentials to bypass the hardware token challenge and set up a mule account that allows them broad access to transfer funds, Klein said.

"I'm most worried by the level of sophistication that is exhibited in this malware," Klein said. "They employ some cunning techniques combining a bit of social engineering with careful and well executed flood attacks on banks."

Hardware tokens are popular at some European banks, but several financial institutions in the United States use hardware tokens, Klein said. Although Silon represents a tiny fraction of all malware, the Trusteer research team detected it in late September in honeypots located in North America and Europe. Klein estimates that 1 in 1,000 PCs are infected.

It's unclear how machines are being infected by Silon. Klein suspects it could be something as mundane as an infected USB drive or any kind of spam campaign.

SearchSecurity radio:

Trusteer is working with law enforcement to trace the communication lines back to the command-and-control servers. Klein declined to comment on the location of the servers and said researchers have not had access to them to determine the extent of the malware's success.

"It's pretty new malware and we suspect that not all antivirus vendors have started to detect it," Klein said. "Financial malware is somewhat more difficult to detect because it tries to hide itself and not make any unnecessary modifications or give up telltale signs of its existence, because that would undermine its longevity and effectiveness."

Tags: Malware, Viruses, Trojans and Spyware,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Web Browser Security InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary