Sinowal, The Super-Trojan

Satheesh C B | Thursday, November 20, 2008 | 1 comments

A single computer virus, owned by one criminal gang, has compromised hundreds of thousands of online bank accounts worldwide, according to security experts at the RSA FraudAction Research Lab.

That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.

Sinowal operates like many other viruses – injecting corrupt data into Web pages that are usually known and trusted by the victim, and which attack a computer through loopholes in a Web browser (media players are a popular way in). The virus can then prompt the victim to offer confidential information, such as bank account details. More than 2700 bank and e-commerce sites worldwide have been affected by this one Trojan.

Where it differs is not only is Sinowal being constantly updated with patches to beat security filters - it is also storing up user data on everyone its infects, which means it requires major data storage facilities.

Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS.

Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.

Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list

Apparently Sinowal has been successful enough to compromise 270,000 bank accounts and 240,000 credit and debit cards across the US, UK, Australia and Poland.

The main method of delivery isn’t email spam, though, but instead through hacking websites to insert the malicious code onto visitors PC’s.Wordpress blogs have especially become a major target of attack, not least due to users failing to keep their software updated with patches.

Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.

Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.

You can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot.


Category: , ,

Welcome to SparksSpace . This blog launched on Dec 2007 with a focus on Technology.You can find latest Computer Software, Tutorials, Tricks,Tips & Software promotions here!

1 comment:

  1. Hi Spaark,

    Do you know what causes extremely long file names? Have seen some file names as long as 256 letters. I like your understanding and views. Of course, I run my search queries via ProxoMitron 4.5j. I have NIS2008 installed, with Spybot S&D. No trojans, or rootkits detected so far. Go visit "9Down" site. Is it an exploit of long filename buffer overflow?