Tilon-son of Silon
(Publication) Google search: [1]
Tilon-son of Silon | |
---|---|
Botnet | Tilon, Silon |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 9 aug2012 |
Editor/Conference | Trusteer |
Link | http://www.trusteer.com/blog/tilon-son-of-silon (Archive copy) |
Author | Amit Klein |
Type |
Abstract
“ So-what does it do? Tilon is a financial malware that employs the “Man in the Browser” (MitB) approach. It injects itself into the browser (it has an impressive list of supported browsers – Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others) and then fully controls the traffic from the browser to the web server, and vice versa. It captures all form submissions (“form grabbing”) from the browser to the web server, logs them and sends them to its command and control (C&C) server, thereby gaining access to all login credentials, transactions, etc. More interestingly perhaps, it controls the traffic (web pages) from the web server to the browser, and through a sophisticated “search and replace” mechanism it targets specific URLs and replaces parts (small and large) of the pages with its own text.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1133, editor = {Trusteer}, author = {Amit Klein}, title = {Tilon-son of Silon}, date = {09}, month = Aug, year = {2012}, howpublished = {\url{http://www.trusteer.com/blog/tilon-son-of-silon}}, }