Trojan steals access data for 300,000 bank accounts
RSA FraudAction Research Lab reports that Sinowal, alias Torpig and Mebroot, currently the most devious banking trojan, has over the last six months succeeded in stealing the login data for more than one hundred thousand accounts. Among virus specialists, Sinowal is known as a highly developed trojan that intercepts credit-card data and FTP accounts, as well as information about bank accounts. During the past three years, using various versions of Sinowal, the authors of the trojan are reported to have succeeded in grabbing data relating to more than 300,000 different accounts and sending them to a database.
Sinowal injects its own code into the web pages shown in the user's browser so that it can capture the relevant details when the browser user visits a page known to it. It is said to be able to recognize and react to the URLs of around 2700 international banks and providers of financial services. RSA say that precisely how it manages to infect systems cannot be traced. It is probably distributed via infected web sites, among other things such as MPack, a web-attack toolkit it exploited in mid-2007. Analyses by Kaspersky say it uses rootkit techniques in order to hide itself in a system, writing itself into the MBR of the hard disk so that it becomes active as soon as the computer is booted up.
RSA says the most remarkable feature of this trojan is that its authors have managed to maintain the communications infrastructure between the trojan and its database for as long as three years, registering several thousand domains to look after Sinowal's communications. Although the RSA report does not say so, the trojan probably uses what are known as fast-flux service networks.
The precise origin of Sinowal, and the identity of its present masters, can only be speculated on. It was originally thought to be operated by Russian criminals linked to the infamous Russian Business Network (RBN), but, since the infrastructure that supported the RBN is no longer in place, this is not now thought to be the case. RSA wants others to know the results of its observations, and says it has also informed the authorities responsible for investigating crime.
- One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts, report by RSA FraudAction Research Lab