Silon malware intercepts Internet Explorer sessions, steals credentials

A new malware variant called Silon is targeting Internet Explorer users, attempting to intercept their sessions and steal credentials.

Researchers at security vendor Trusteer Inc. issued an advisory warning that the Silon Trojan can detect when a user initiates a Web login session in Internet Explorer. It intercepts the login session, encrypts the data and sends it to a command-and-control server where it is collected with credentials from other victims.

In a more sophisticated attack, the Trojan targets people logging into their online bank accounts. New York, N.Y.-based Trusteer said Silon can inject sophisticated dynamic HTML code into the login flow between the user and their bank's Web server. The method involves using a webpage displaying a phony message asking the victim to verify their login details. If the victim complies with the request, the login credentials are sent to the command-and-control server, said Amit Klein, chief technology officer of Trusteer.

Password stealing Trojans: New Trojan stealing FTP credentials, attacking FTP websites: A new Trojan has collected up to 80,000 unique FTP server logins and is injecting malicious code into thousands of FTP websites.  Gumblar Trojan drive-by exploits spike following Adobe update: The FTP harvesting Trojan is spreading through legitimate websites, infecting victims in a series of drive-by attacks targeting Web application vulnerabilities.  Trojan downloaders, droppers skyrocket, Microsoft says: The spread of Trojan horses via downloaders and droppers is multiplying rapidly, infecting nearly 19 million computer users, according to a 2008 Microsoft report.

Even more troubling is Silon's method of taking advantage of hardware tokens to add cybercriminals as new payees to bank accounts. The malware uses code that can steal bank hardware token challenge code credentials. It generates a webpage to lure the user into giving up the challenge code. The fraudsters can then use the credentials to bypass the hardware token challenge and set up a mule account that allows them broad access to transfer funds, Klein said.

"I'm most worried by the level of sophistication that is exhibited in this malware," Klein said. "They employ some cunning techniques combining a bit of social engineering with careful and well executed flood attacks on banks."

Hardware tokens are popular at some European banks, but several financial institutions in the United States use hardware tokens, Klein said. Although Silon represents a tiny fraction of all malware, the Trusteer research team detected it in late September in honeypots located in North America and Europe. Klein estimates that 1 in 1,000 PCs are infected.

It's unclear how machines are being infected by Silon. Klein suspects it could be something as mundane as an infected USB drive or any kind of spam campaign.

SearchSecurity radio:

Trusteer is working with law enforcement to trace the communication lines back to the command-and-control servers. Klein declined to comment on the location of the servers and said researchers have not had access to them to determine the extent of the malware's success.

"It's pretty new malware and we suspect that not all antivirus vendors have started to detect it," Klein said. "Financial malware is somewhat more difficult to detect because it tries to hide itself and not make any unnecessary modifications or give up telltale signs of its existence, because that would undermine its longevity and effectiveness."