The Very Capable Win32.Silon Information Thief
by sharpe on May.12, 2010, under Malware, Security
The Win32.Silon information thief (hereafter referenced as Silon) is a relitively new information stealer, which surfaced early 2009. It has the ability to steal log-in information and commit financial fraud via many popular online banks. Currently it has been seen it the following two versions (dubbed by CSIS):
- Win32/Silon.A (SA)
- Win32/Silon.B (SB)
Due to the fact that the malware doesn’t have its own installation functionality, it relies on installers and other pay-per-install services to set up an infected environment. In order for Silon to properly be able to function, the installer must do the following:
- Create the registry key: HKEY_CLASSES_ROOT\CLSID\{<value calculated based on the vol ID>}\InprocServer32
- Add required values to the above key (presented below)
- Drop the Silon payload to %systemroot%\system32\msjet51.dll (SA) or %systemroot%\system32\msls50.dll (SB)
- Alter the predefined value specified in HKEY_CLASSES_ROOT\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InprocServer32\(Default) so it points to the Silon payload (originally set to C:\WINDOWS\system32\msimtf.dll)
The above information can of course also be used when attempting to identify the presence of Silon. That’s more or less it. When Internet Explorer is run, the Silon module will be executed instead of the previously defined module, and will run within the context of the Internet Explorer process. Upon execution, the Silon module throws more than 28000 exceptions in an attempt to cause analysis confusion via the lock xor eax,eax instruction. The exception handler is responsible for decrementing the counter, initially set to 6E00h/28160d (the number of exceptions) until it is equal to zero.
I have implemented a simplified version of the mentioned exception joy in challenge nine, so if you’re curious about how it works, debug challenge nine (79).
Eventually, RtlAllocateHeap is called to allocate heap space to which the encrypted instructions are written. This encrypted data is then xor’ed with the static dword key DC887163h and then rolled to the right (ror) by the hex value 39h. If you step into and follow this loop for a few interations, you will be able to see the decrypted executable (MZ…) beginning to take form. The code is then copied to the original entry point of the executable. After the copying is done, the module is unprotected.
Silon has some nice functionality including API patching, which enable it to handle calls to wininet.dll specific APIs prior to the actual called API itself. Application data is then at the disposal of the malwware until code execution returns to the called API. Silon patches the following APIs:
- InternetCloseHandle
- HttpQueryInfoA
- InternetReadFile
- InternetQueryDataAvailable
- HttpSendRequestA
- InternetSetStatusCallBackA
- InternetQueryOptionA
- HttpSendRequestW
- InternetReadFileExW
- InternetReadFileExA
Data intercepted via the patched APIs is logged locally prior to being sent to drop-servers in the %systemroot%\Temp directory, the file name equal to the current computers volume id, hyphen not included. All configuration and drop-site information is stored in the registry under the previously mentioned key in encrypted (RC4) form, and is illusrated in the screen-dump below (truncated due to file size):
The following provides an explanation for the above mentioned encrypted data written to the registry by the installer:
- 0: Injected HTML data (e.g. fields and forms)
- 1: Command & Control
- 3: Control data
- 4: Control data
The Silon gang mean business, so we can expect to see some new versions in the future.
