Trojan Virus Steals Banking Info


A sophisticated cybercrime group that has maintained an especially devious Trojan horse for nearly three years has stolen login credentials of close to 300,000 online bank accounts and almost as many credit cards during that time, according to reports released today by RSA FraudAction Research Lab. The spyware is called Sinowal Trojan, also known as Torpig and Mebroot.


RSA reports that their findings are based on data collected on this Trojan over the course of almost three years—including information regarding its design and its infrastructure. Findings indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters, say RSA experts.






Sinowal infects victims' computers without leaving any trace



The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crimeware ever created".
The Sinowal trojan has been tracked by RSA, which helps to secure networks in Fortune 500 companies.
RSA said the trojan virus has infected computers all over the planet.
"The effect has been really global with over 2000 domains compromised," said Sean Brady of RSA's security division.
He told the BBC: "This is a serious incident on a very noticeable scale and we have seen an increase in the number of trojans and their variants, particularly in the States and Canada."
The RSA's Fraud Action Research Lab said it first detected the Windows Sinowal trojan in Feb 2006.
Since then, Mr Brady said, more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.
The lab said no Russian accounts were hit by Sinowal.
"Drive-by downloads"
RSA described the Sinowal as "one of the most serious threats to anyone with an internet connection" because it works behind the scenes using a common infection method known as "drive-by downloads"."

Sinowal has been constantly updated with new variants

Users can get infected without knowing if they visit a website that has been booby-trapped with the Sinowal malicious code.
Mr Brady said the worrying aspect about Sinowal, which is also known as Torpig and Mebroot, is that it has been operating for so long.
"One of the key points of interest about this particular trojan is that it has existed for two and a half years quietly collecting information," he said. "Any IT professional will tell you it costs a lot to maintain and to store the information it is gathering.
"The group behind it have made sure to invest in the infrastructure no doubt because the return and the potential return is so great."
RSA's researchers said the trojan's creators periodically release new variants to ensure it stays ahead of detection and maintain "its uninterrupted grip on infected computers."
While RSA's lab has been tracking the trojan since 2006, Mr Brady admitted that they know a lot about its design and infrastructure but little about who is behind Sinowal.
"There is a lot of talk about where it comes from and anecdotal evidence points to Russia and Eastern Europe. Historically there have been connections with an online gang connected to the Russian Business Network but in reality no one knows for sure."
That he said is because the group is able to use the web to cloak its identity.
Infection
In April 2007, researchers at Google discovered hundreds of thousands of web pages that initiated drive-by downloads. It estimated that one in ten of the 4.5 million pages it analysed were suspect.
Sophos researchers reported in 2008 it was finding more than 6,000 newly infected web pages every day, or about one every 14 seconds.

Since May, Sinowal has compromised over 100,000 online bank accounts



RSA's fraud action team said it noticed a spike in attacks from March through to September this year.
That is backed up by another online security company called Fortinet. It said from July 2008 to September 2008 the number of reported attacks rose from 10m to 30m. This included trojans, viruses, malware, phishing and mass mailings.
"The explosion in the number of attacks is alarming," said Derek Manky of Fortinet.
"But trojans are just one of the players in the game wreaking havoc in cyberspace."
Remedies
While attacks are on the increase, there are some simple steps that users can take to protect their information besides using security software.
"We have a saying here which is 'think before you link,'" said Mr Manky.
"That just means observe where you are going on the web. Be wary of clicking on anything in a high traffic site like social networks.
"A lot of traffic in the eyes of cyber criminals means these sites are a target because to these people more traffic means more money," he said.

The rate at which Sinowal has been compromising online bank accounts



RSA also urged users to be wary if their bank started asking for different forms of authentication such as a social security number or other details.
"People think not clicking on a pop up or an attachment means they are safe. What people don't realise now is that just visiting a website is good enough to infect them."
RSA said it is co-operating with banks and financial institutions the world over to tell them about Sinowal. It has passed information about the virus to law enforcement agencies.
http://news.bbc.co.uk/2/hi/technology/7701227.stm


ADDITIONAL READING



RSA Cracks Down on Legendary Sinowal Trojan

Several financial institutions hit by the professionally maintained Trojan.

October 31, 2008
By Richard Adhikari: http://www.internetnews.com/img/redesign2008/images/text.gifMore stories by this author:

The RSA FraudAction Research Laboratory is putting the pressure on the notorious Sinowal Trojan (define).

According to the laboratory, this Trojan, which it says is also known as Torpig and Mebroot, has stolen and compromised login credentials from about 500,000 online bank accounts and credit and debit cards over the course of nearly three years. It has also stolen and compromised other information such as e-mail and FTP accounts from many Websites, RSA claimed.

Now, the laboratory is upping its efforts now that it knows more about Sinowal's source. The company shared its analysis today that suggests Sinowal had strong ties to the infamous Russian Business Network cybercriminal gang, but is no longer connected. The Russian Business Network, a major perpetrator of phishing (define) attacks, is believed to have resurfaced in China after going underground for awhile.

Meanwhile, Sinowal's longevity has researchers paying attention. "The average Trojan drop site has a lifecycle of a few days or weeks, but this has been collecting credentials all the way back to 2006, which makes it ancient," Sean Brady, RSA's manager of identity protection, told InternetNews.com.

The Trojan's developers are highly professional, Brady said. They are building a redundant infrastructure and mirroring data across many sites to ensure high availability. "Its developers bring a perspective to it that correlates with how any business manages its IT infrastructure," Brady said.

Security vendors and practitioners have known about Sinowal for a long time, but have not been able to do much to stop it, Brady said.

About Sinowal's longevity

The Trojan is technologically very advanced, Brady said. It installs itself on a computer's master boot record so it is very hard to find on the hard drive and to get rid of, Brady said.

Sinowal is also difficult to detect in action. It is polymorphic, meaning that it does not have a strict signature that antivirus companies can readily latch on to.

Growing like Topsy

One of the most startling features of Sinowal is that it has 2,700 URL triggers built into it, Brady said. That gives it a wide scope of attack, and the Trojan has stolen or compromised data of customers of hundreds of financial regions everywhere in the world except Russia, the laboratory said.

Also, Sinowal has been evolving at a dramatic pace, and the laboratory said its rate of attacks spiked upwards from March through September. During that period, it compromised and stole login credentials and other information from more than 100,000 online bank accounts, the laboratory said.

The Trojan's creators periodically release new variants and register thousands of Internet domains so it can maintain its grip on computers it has infected, the laboratory said. When one domain is closed down, it shunts to another.

Like other Trojans, Sinowal uses an HTML injection feature that injects new Web pages or information fields into the affected victim's browser. These injections seem like legitimate pages to the victim, but capture the victim's data and send that back to the fraudster's Web site, Brady said.

RSA has notified U.S. federal law enforcement agencies and notified those affected by Sinowal.

Education is the best defense against Trojans, Brady said. "You can shut down infection points, but that's like playing Whack-a-Mole," he said. "The most important thing is to educate consumers as to the dangers of going to sites they are not supposed to, and of clicking on links in spam e-mails they receive."

WHAT DOES THE VIRUS DO


Trojan-PSW.Win32.Sinowal.b

Detection added

Mar 20 2006 05:23 GMT

Description added

May 09 2006

Behavior

PSW Trojan

Technical details

This program belongs to the family of password-stealing Trojans. When activated, the Trojan installs itself to the system.

%System%\ibm<5>.dll
%System%\ibm<5>.exe
%System%\ibm<5>.dll

The *.exe file will be registered in the system registry in order to ensure that it is launched each time Windows is rebooted on the victim machine.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Shell="%System%\ibm<5>.exe"

It also modifies the following registry entry for its autostart, from:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell="explorer.exe"

to:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell="explorer.exe %System%\ibm<5>.exe"

Payload

This Trojan has the following functions:

  • access the Internet and communicate with a remote server via HTTP
  • steal information (like user names and passwords) from the infected machine
  • send the stolen information to a remote server

VIRUS REMOVAL METHOD –

Method posted on web---not tested (try at ur own risk)

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

LINKS



http://www.rsa.com/blog/blog_entry.aspx?id=1378

http://forums.techguy.org/malware-removal-hijackthis-logs/584511-solved-trojan-sinowal.html

http://www.viruslist.com/en/viruses/encyclopedia?virusid=115539

http://www.internetnews.com/security/article.php/3782221/RSA+Cracks+Down+on+Legendary+Sinowal+Trojan.htm

Comments

Post a Comment

Popular posts from this blog

VITZ “INSERT MAP CD” SOLUTION

Image
By   Moonis ( zaitron )   on   December 3, 2010 For those of you who have a JDM navigation system installed in their Toyota (vitz, belta, axio, etc) and get the following message on their navigation system “INSERT MAP CD”, i have the solution for you. All that the system needs is a boot CD that will bypass this message. After that you will be able to use most of the features of the system like controlling the treble/base, maintenance log, etc. Everything, apart from the actual GPS navigation will be activated (for that, you require a map file of Pakistan, which unfortunately isn’t available for any system apart from Garmin). Usually you can go to the market (audio stores) and pay Rs.500-2000 for them to unlock your system. Instructions: First thing you need to do is to know the model number of the system you have installed in your car, for eg, NDCN W55 etc. (Model number is usually written at the bottom right of the unit). After that, download the file from mega
Read more

Make ready your horses !

Image
Assalam o alaikum, I just wanted to share a thought that has come to my mind regarding war in which nuclear weapons could be used. I might be wrong in my perception but I just thought to share it and get valued opinions of the members. Quran says: "Tayyar rakho apni taqat aur apni quwwat aur zara-e-jang ke sath, takey HAIBAT tari ho jaey unke dilon per jo dushman hen Allah ke aur tumharey dushman" I have highlighted the word 'Haibat'. It means to strike terror into the hearts. Being a muslim it's our firm belief that every single word of Quran is full wisdom. Quran talks not about 'destruction' of the enemies. It does not say that we should be equiped with modern weaponary so that our enemy is 'Destroyed' by it. It says that we should be equiped so that we can strike terror into the hearts of our enemies. If we observe, this is exactly what has stopped India from attacking Pakistan on a number of occassions. E.g. After attac
Read more

Halal and Haram in Chocolates and Ice Creams

Image
HALAL & HARAM DIRECTORY O believers ! Eat of the good things that We have provided you with and give thanks to Allah. (2: 172) Though thorough research has gone into producing this guideline, it is by no means complete and only covers the common products as it is very difficult to obtain exactly the listing of halal and haram ingredients present in all products. Also, companies are constantly changing their product ingredients and Muslims should always be aware that what is originally certified halal might in the future be haram and vice versa. Due to aggressive campaigning by The Vegetarian Society, UK, most products now display their symbol ‘Suitable For Vegetarians’ which means that there is NO animal content in that particular product, making it halal. However, a product can still contain alcohol, making it haram . Please check. Points to note: · Medicine containing alcohol is not permissible unless on authority of a doctor with no alternative med
Read more