Trojan Virus Steals Banking Info
A sophisticated cybercrime group that has maintained an especially devious Trojan horse for nearly three years has stolen login credentials of close to 300,000 online bank accounts and almost as many credit cards during that time, according to reports released today by RSA FraudAction Research Lab. The spyware is called Sinowal Trojan, also known as Torpig and Mebroot.
RSA reports that their findings are based on data collected on this Trojan over the course of almost three years—including information regarding its design and its infrastructure. Findings indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters, say RSA experts.
Sinowal infects victims' computers without leaving any trace
The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crimeware ever created".
The Sinowal trojan has been tracked by RSA, which helps to secure networks in Fortune 500 companies.
RSA said the trojan virus has infected computers all over the planet.
"The effect has been really global with over 2000 domains compromised," said Sean Brady of RSA's security division.
He told the BBC: "This is a serious incident on a very noticeable scale and we have seen an increase in the number of trojans and their variants, particularly in the States and Canada."
The RSA's Fraud Action Research Lab said it first detected the Windows Sinowal trojan in Feb 2006.
Since then, Mr Brady said, more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.
The lab said no Russian accounts were hit by Sinowal.
"Drive-by downloads"
RSA described the Sinowal as "one of the most serious threats to anyone with an internet connection" because it works behind the scenes using a common infection method known as "drive-by downloads"."
Users can get infected without knowing if they visit a website that has been booby-trapped with the Sinowal malicious code.
Mr Brady said the worrying aspect about Sinowal, which is also known as Torpig and Mebroot, is that it has been operating for so long.
"One of the key points of interest about this particular trojan is that it has existed for two and a half years quietly collecting information," he said. "Any IT professional will tell you it costs a lot to maintain and to store the information it is gathering.
"The group behind it have made sure to invest in the infrastructure no doubt because the return and the potential return is so great."
RSA's researchers said the trojan's creators periodically release new variants to ensure it stays ahead of detection and maintain "its uninterrupted grip on infected computers."
While RSA's lab has been tracking the trojan since 2006, Mr Brady admitted that they know a lot about its design and infrastructure but little about who is behind Sinowal.
"There is a lot of talk about where it comes from and anecdotal evidence points to Russia and Eastern Europe. Historically there have been connections with an online gang connected to the Russian Business Network but in reality no one knows for sure."
That he said is because the group is able to use the web to cloak its identity.
Infection
In April 2007, researchers at Google discovered hundreds of thousands of web pages that initiated drive-by downloads. It estimated that one in ten of the 4.5 million pages it analysed were suspect.
Sophos researchers reported in 2008 it was finding more than 6,000 newly infected web pages every day, or about one every 14 seconds.
Since May, Sinowal has compromised over 100,000 online bank accounts
RSA's fraud action team said it noticed a spike in attacks from March through to September this year.
That is backed up by another online security company called Fortinet. It said from July 2008 to September 2008 the number of reported attacks rose from 10m to 30m. This included trojans, viruses, malware, phishing and mass mailings.
"The explosion in the number of attacks is alarming," said Derek Manky of Fortinet.
"But trojans are just one of the players in the game wreaking havoc in cyberspace."
Remedies
While attacks are on the increase, there are some simple steps that users can take to protect their information besides using security software.
"We have a saying here which is 'think before you link,'" said Mr Manky.
"That just means observe where you are going on the web. Be wary of clicking on anything in a high traffic site like social networks.
"A lot of traffic in the eyes of cyber criminals means these sites are a target because to these people more traffic means more money," he said.
The rate at which Sinowal has been compromising online bank accounts
RSA also urged users to be wary if their bank started asking for different forms of authentication such as a social security number or other details.
"People think not clicking on a pop up or an attachment means they are safe. What people don't realise now is that just visiting a website is good enough to infect them."
RSA said it is co-operating with banks and financial institutions the world over to tell them about Sinowal. It has passed information about the virus to law enforcement agencies.
http://news.bbc.co.uk/2/hi/technology/7701227.stm
ADDITIONAL READING
RSA Cracks Down on Legendary Sinowal Trojan
Several financial institutions hit by the professionally maintained Trojan.
October 31, 2008
By Richard Adhikari: More stories by this author:
The RSA FraudAction Research Laboratory is putting the pressure on the notorious Sinowal Trojan (define).
According to the laboratory, this Trojan, which it says is also known as Torpig and Mebroot, has stolen and compromised login credentials from about 500,000 online bank accounts and credit and debit cards over the course of nearly three years. It has also stolen and compromised other information such as e-mail and FTP accounts from many Websites, RSA claimed.
Now, the laboratory is upping its efforts now that it knows more about Sinowal's source. The company shared its analysis today that suggests Sinowal had strong ties to the infamous Russian Business Network cybercriminal gang, but is no longer connected. The Russian Business Network, a major perpetrator of phishing (define) attacks, is believed to have resurfaced in China after going underground for awhile.
Meanwhile, Sinowal's longevity has researchers paying attention. "The average Trojan drop site has a lifecycle of a few days or weeks, but this has been collecting credentials all the way back to 2006, which makes it ancient," Sean Brady, RSA's manager of identity protection, told InternetNews.com.
The Trojan's developers are highly professional, Brady said. They are building a redundant infrastructure and mirroring data across many sites to ensure high availability. "Its developers bring a perspective to it that correlates with how any business manages its IT infrastructure," Brady said.
Security vendors and practitioners have known about Sinowal for a long time, but have not been able to do much to stop it, Brady said.
About Sinowal's longevity
The Trojan is technologically very advanced, Brady said. It installs itself on a computer's master boot record so it is very hard to find on the hard drive and to get rid of, Brady said.
Sinowal is also difficult to detect in action. It is polymorphic, meaning that it does not have a strict signature that antivirus companies can readily latch on to.
Growing like Topsy
One of the most startling features of Sinowal is that it has 2,700 URL triggers built into it, Brady said. That gives it a wide scope of attack, and the Trojan has stolen or compromised data of customers of hundreds of financial regions everywhere in the world except Russia, the laboratory said.
Also, Sinowal has been evolving at a dramatic pace, and the laboratory said its rate of attacks spiked upwards from March through September. During that period, it compromised and stole login credentials and other information from more than 100,000 online bank accounts, the laboratory said.
The Trojan's creators periodically release new variants and register thousands of Internet domains so it can maintain its grip on computers it has infected, the laboratory said. When one domain is closed down, it shunts to another.
Like other Trojans, Sinowal uses an HTML injection feature that injects new Web pages or information fields into the affected victim's browser. These injections seem like legitimate pages to the victim, but capture the victim's data and send that back to the fraudster's Web site, Brady said.
RSA has notified U.S. federal law enforcement agencies and notified those affected by Sinowal.
WHAT DOES THE VIRUS DO
Trojan-PSW.Win32.Sinowal.b
Detection added | Mar 20 2006 05:23 GMT |
Description added | May 09 2006 |
Behavior |
This program belongs to the family of password-stealing Trojans. When activated, the Trojan installs itself to the system.
%System%\ibm<5>.dll
%System%\ibm<5>.exe
%System%\ibm<5>.dll
The *.exe file will be registered in the system registry in order to ensure that it is launched each time Windows is rebooted on the victim machine.
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Shell="%System%\ibm<5>.exe"
It also modifies the following registry entry for its autostart, from:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell="explorer.exe"
to:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell="explorer.exe %System%\ibm<5>.exe"
This Trojan has the following functions:
- access the Internet and communicate with a remote server via HTTP
- steal information (like user names and passwords) from the infected machine
- send the stolen information to a remote server
VIRUS REMOVAL METHOD –
Method posted on web---not tested (try at ur own risk)
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
LINKS
http://www.rsa.com/blog/blog_entry.aspx?id=1378
http://forums.techguy.org/malware-removal-hijackthis-logs/584511-solved-trojan-sinowal.html
http://www.viruslist.com/en/viruses/encyclopedia?virusid=115539
http://www.internetnews.com/security/article.php/3782221/RSA+Cracks+Down+on+Legendary+Sinowal+Trojan.htm
Comments