Undetectable Sinowal/Torpig Trojan Steals More Than 300,000 Bank Accounts
Security researchers at RSA’s FraudAction Research Lab have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts. The Sinowal (AKA Torpig or Mebroot) trojan has also stole email and FTP account login details. Previous attempts to track the source of the Trojan were unsuccessful.
The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. The program has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.
One popular theory is that the malware authors behind the trojan are in the same gang as the group who ran the infamous Russian Business Network (RBN). RSA’s analysis suggests that the authors of Sinowal may have been at least affiliated with the Storm worm gang in the past but are now running the malware through hosting facilities unaffiliated to the RBN.
Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.
In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials. Unlike many trojans, it doesn’t rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple’s QuickTime media player.
“This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed,” Sean Brady, manager of identity protection at RSA, said in an interview. Sinowal sits dormant on a machine until a user points a browser at the website of a bank or other financial institution. Then an HTML injection engine adds fields to the website’s login page that prompt victims to enter social security numbers, passwords, and other credentials. Once entered, the information is transmitted to a server under the control of the malware authors. The injection mechanism is triggered by more than 2,700 different web addresses.
It then hides itself on a computer’s master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.
RSA is in liaison with computer emergency response teams and other appropriate parties in an effort to take down the network controlled by the Sinowal trojan. The malware, variants of which first appeared in 2006, takes considerable pains to conceal its presence on compromised machines.
In addition, the communication infrastructure behind the trojan is sophisticated and well maintained. Little is known about the group responsible for Sinowal, but at least one clue suggests the group has ties to Russia: While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia.
“The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers,” a posting on the RSA security blog explains.
RSA has shared the data it discovered with affected banks in the hopes they will notify customers who are infected.
More on CyberInsecure:
Print This Post
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.