One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts
The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.
We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.
Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. There is generally more known about the sources of other Trojans. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN.
So, why is Sinowal one of the most serious threats to anyone with an Internet connection?
Simply put, Sinowal infects victims’ computers without even an inkling of a trace. The criminals behind Sinowal have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years. In addition, the stolen data has been methodically organized within a well-organized repository. Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan.
Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006. And in addition to its longevity, Sinowal has also been evolving at a dramatic pace – its rate of attacks spiked upwards from March through September of this year.
The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers. This diagram (see below) shows the rate at which the creators of the Sinowal Trojan have been creating new variants.
Our findings on how Sinowal operates
Like other Trojans, Sinowal uses an HTML injection feature that effectively injects new Web pages or information fields into the affected victim’s Internet browser – and these injections seem like legitimate pages to the victim. Just as an example, Sinowal can falsely prompt an unsuspecting victim for personal information such as a social security number and other details which their bank previously pledged to never request be provided online. Even though a prompt like this is not a novel approach to stealing credentials and other information – what struck us the most was the amount of URL "triggers" that cause Sinowal to actually launch this prompt and other functions: Sinowal is triggered by more than 2,700 specific URLs, which means that this Trojan quickly moves into action when users access the websites of what are now hundreds of financial institutions worldwide.
The sheer volume of data stolen by Sinowal is extraordinary
Just a single Trojan, operated by just one group of fraudsters, has been able to infect hundreds of thousands of computers, compromising and stealing information from their users’ accounts.
The compromised data belongs to customers of hundreds of financial institutions within many regions of the world. We have seen affected financial institutions within North America (both the United States and Canada), Europe (United Kingdom, France, Spain, Germany, the Netherlands, Italy and others), Asia Pacific (Australia, China, Malaysia, and others) as well as some countries in Latin America. However, we found that no Russian accounts were compromised by Sinowal.
In the past six months alone, the Sinowal Trojan has compromised and stolen login credentials and other information of more than 100,000 online bank accounts. This diagram (see below) shows the rate at which Sinowal has been compromising online bank accounts
The RSA FraudAction Research Lab, in conjunction with the RSA Anti-Fraud Command Center, is currently in the process of sharing its findings with the appropriate parties. We have disseminated large amounts of compromised data to some affected financial institutions. We have also contacted several law enforcement agencies to inform them of our findings.
What operating systems are affected?
Is this type of attack only windows-specific or did you also observe successful attacks on users with OSX and Linux operating systems?
So Who and What are Affected?
Does this only work on Windows (the usual suspect), or can Mac OS X (earlier versions?), or any Linux distros also be affected. How do you know the full extent of infection and numbers affected? Have you traced the calls home from infected PC’s?
What about the users??
It’s great that you’re contacting the institutions targeted by this, but in reality they’re not targeted so much as their clients are.
So, how can end-users determine whether their machines are infected? It would be nice to know whether I need to get started reformatting my MBR as opposed to (maybe) continuing to divulge sensitive information.
Banks and Institution list
It would be a great service to everyone to know which banks and institutions have accounts that have been affected by this Trojan. I have seen several reports regarding Sinowal and have yet to see mentioned even one institution named. Similarly, I have not seen any follow-on reporting of actual cases of fraud and theft associated with this – if it is possible to quantize an estimate of stolen account incidents, it must certainly be possible to be more forthcoming regarding the specifics associated with these estimates. It would certainly be in the public’s best interest to share this information, don’t you think?
Basic concept
This trojan uses 2 parts according to the article; web injection and a rootkit. mwbrootkit is a Master Boot Record infection of Windows that gets in to Windows via the normal Windows-stupid architecture flaws. I’m a linux and Mac user so I don’t care about this c**p. It also seems like the sinowal/torpig portion is Windows specific too.
It’s hard to determine because the Anti-virus folks in the world want everyone to think that Trojans and virii effect the internet as a whole; which is a lie because it’s a Window’s problem.
I’ve seen reports of 200,000 and 300,000 and even 500,000 accounts compromised. Seems awfully like hype to me. The Anti-Virus industry needs to keep fear up so people listen to the lame marketing they engage in.
Analysis of Sinowal
I (Peter Kleissner, Software Engineer / Malware Analyst) have analyzed Sinowal. Read the article under http://www.viennacomputerproducts.com/index.php?page=analysis-of-sinowal! I’ve published there also the source code of Sinowal.
And to answer the question of Pete Miller, Sinowal is restricted to Microsoft Windows XP due to it’s Bootkit functionality. It won’t work under Vista anymore because of its different boot files and mechanism.
Malware is not about Windows
Basic Concept is a fool to think that anything but Windows is immune to malware and hacks. We have found Unix rootkit over 10MB is size and so complex it took AVP one week to analyze. Thousands of Linux servers are hacked so their stored webapges can be infected with obsucred javascript one-liners to gift trojans to visitors who use Windows. Apple is a dumbed down piece of BSD Unix, so its even worse. Bank and industrial applications show a well-cared for Windows Server is equally safe and reliable compared to Un*x, you just have to hire well-paid top-notch people to maintain them day and night. There is no absolute security bey IBM mainframes and mil-spec systems, the chinese hackers crack any Un*x like a nut, in fact any von Neumann architecture computer, where data can become program code, is inherently at risk. The only reason malware is such commodity on Windows comes down to scale of economy. Apple having a fast-growing share in higher-end laptop business, we can expect Mac malware very soon, because it will be worth targetting that user population. Several AV vendors will return to market with an Apple virus scanner product in 2009, after almost a decade of hiatus.
Published there also the source code of Sinowal. And to answer the question of Pete Miller, Sinowal is restricted to Microsoft Windows XP due to it’s Bootkit functionality. It won’t work under Vista anymore because of its different boot files and mechanism.
Affected operating systems
You can find this information from leading anti-virus companies, and you might want to note that various anti-virus companies use different names for this Trojan, so you may wish to search for “Mebroot” or “Torpig” in addition to “Sinowal”.
- RSA FraudAction Research Lab
Who and What are Affected
Affected operating systems: You can find this information from leading anti-virus companies, and you might want to note that various anti-virus companies use different names for this Trojan, so you may wish to search for “Mebroot” or “Torpig” in addition to “Sinowal”.
Affected financial institutions and individuals: We have seen the Sinowal Trojan reach over 27 countries to date. Regarding “numbers affected”, we appreciate your question, but we cannot provide any information of this nature because it is critically important that we protect the privacy and security of the affected financial institutions and their customers.
Traced calls: Thank you for this question, but unfortunately we cannot answer as we must protect our anti-fraud fighting methodologies.
- RSA FraudAction Research Lab
Protecting your PC
The best initial line of defense is to maintain an up-to-date anti-virus solution on your PC and use it to run a full system scan. If Sinowal is believed to be installed on a user’s PC, we recommend following the specific steps provided by leading anti-virus providers. However, the Sinowal Trojan can be challenging to detect once it is installed locally since it uses rootkit techniques designed to evade detection.
The Sinowal variant used HTML injection to add fields to web pages in order to lure end users to provide personal information which resulted in account compromise. Awareness to the sensitivity of sharing personal information can be the first line of defense against any Trojan like this. For example, users can help be better protected by spotting unusual changes to their regularly visited websites, such as those that prompt for personal information, or those that request new actions such as downloading files in order to view a video. Financial institutions should never randomly request personal information online, such as login credentials or social security numbers.
- RSA FraudAction Research Lab
Affected financial institutions and individuals
Thank you for sharing your questions and concerns, but we cannot provide any information of this nature because it is critically important that we protect the privacy and security of the affected institutions and their customers.
- RSA FraudAction Research Lab
Response to ‘Basic concept’
Leading anti-virus vendors have indicated that the Sinowal Trojan is specific to Windows operating environments. It’s important to note that we’re a research group within RSA, and the analysis of the data contained in the Sinowal drop zone clearly demonstrated the existance of more than 500,000 unique credentials, including online banking and credit card information. This information appears to have been extracted from more than 300,000 unique infected PCs, representing approximately 2,700 unique domain names. It is apparent this particular Trojan was wide-spread in its targets and infection, based solely on the extracted data. RSA has not made any inferences about other Trojans within the research published last week.
However, we do hope discoveries such as this can highlight to the everyday user that Trojans do exist and good Internet browsing habits are valuable to all. Awareness to the sensitivity of sharing personal information can be the first line of defense against any Trojan like this. For example, users can help be better protected by spotting unusual changes to their regularly visited websites, such as those that prompt for personal information, or those that request new actions such as downloading files in order to view a video. Users would also benefit by knowing that their financial institutions should never randomly request personal information online, such as login credentials or social security numbers.
- RSA FraudAction Research Lab
Response to “Malware is not about Windows”
We wish to pass no judgement on the merits of one OS vs. another. We believe it is most important to adopt and consistently follow good security practices and Internet habits as the best method of avoiding infection and compromise. Individuals and organizations who follow these best practices for security will always minimize their risk, regardless of the OS they presently use.
- RSA FraudAction Research Lab
All y’all are wrong. I am a director of technology at a moderately sized business that has a multi-platform environment including linux, mac osx 10.5 and 10.6, unix, and pc windows base XP and W7. Every platform has been infected by/with the mebroot torpid and I can prove. Problem is that it does attack primarily windows based machines and there is no research on the other OS’.
To lay sole accountability at the feet of the Anti-Virus community seems a little too isolated for an issue that both begins and ends with an end-user deciding to use a piece of technology, irrelevant and absent of the initial purpose of use.
For example, how many banks would celebrate if a certain percentage of their customers began to insist on face-to-face banking only? Culturally speaking, employers have direct-deposit demands of their employees to reduce costs in one column, while passing on the risk to their employee that once it hits the bank, it is the employees responsibility to keep it safe. Would someone be rejected for employment if they refused to risk their financial safety and security in such a manner? With physical pickpocketing statistics being a proposed side benefit from removing money from the physical being of an individual, what of the costs being infused with damages from even this one set of instructions I would otherwise never have known about if my own curiosity had not gotten the better of my discipline.
And I have often wondered what would happen to this particular set of statistics if consumers were to let go of an online banking opportunity but one time…would oil prices be influenced? Insurance costs contemplated? Extra health benefits from walking? Public transporation ridership altered? Banks crying foul and dragging the concept through the courtrooms as representative of The Enemy as other industries have done with comment and commentary by someone within earshot of another?
Would the tech industry embrace a reduction in the consumers personal habits or would this be a drastic backstep away from an eventual period of reduction across the board? What would happen in the speculation fields? Billions are being written down and then written off to another netherworld at lightning speed. What of those wins and losses?
As another example, how many smaller localized governments cannot afford to upgrade their systems to better address this particular no-no, let alone the lists that circulate at any given moment? How can there be fault laid upon a community for failure to achieve stable and steady connection with whatever is deemed “current” let alone the lawsuits for and against the actions and activities automated update systems?
How many school systems are able to prevent children from acting as carriers when on their school supply shopping list contains the purchase of a flash/jump drive compared to how many children would be stamped guilty for such an achievement? Stuxnet was isolated and then announced as a design that originally was not setting off any alarms, as is suggested with this particular set of programming, and it was stamped and labeled malicious only when a computer outside of the theoretical containment field acquired the content and then ended up transmitting it to wherever.
Now I may have never been exposed to the advanced metrix and statistics involved in this particular report, but I have at least basic ability to read the data provided by a few different statistic providers and that particular educational curve took large chunks out of my life schedule – but then again I flunked Alegbra twice in high school.
One set of stats that struck me to be a significant challenge to a designer-wanna-be was the browser variations used to visit a website. That is not an immediate Anti-Virus issue, that is an end-user making a consumer choice from a pool of options as to what browser they are going to use during their connection experience. To wonder how many have thought to themselves some variation of “Oh crap. This choice might be exploited by unknown individuals. Oh well. Time to have some fun anyway” would have to be broken down into two separate contemplations – one including the awareness that something unknown is also going to happen in addition to anything the user is doing and one heading in the “have fun” direction. Nothing wrong with having a little fun in ones life and yet to contemplate for who’s benefit or detriment such fun is to be had, this is but one of a tendril of freedom-related thoughts and considerations that are instilled into a variety of take-down methods being used to shut down a broadcast from being accessible from the outside.
So even though application of W3C suggested standards can parlay a site into a variety of statistical positions, a designer able to pass such standardized tests does not guarantee the layout of a site on a variety of monitor shapes and sizes will present itself in a readable and functionable manner – especially when glancing at the hand-held realm. Again, that’s not Anti-Virus. That’s a number of people across the world trying to creatively drum up ideas on how to monetize the click list capabilities otherwise available through larger platforms being able to present a greater number of opportunities for the click action to commence so that a similar volume of click habits can be presented to the various seekers of investments into such complex endeavors.
So with consumer desires always driving design of content itself, commercialized, governmentalized, privatized or otherwise, it is important for the Anti-Virus community to be able to possess some sort of jolting mechanism, even if the jolt comes from a reveal of an otherwise hidden agenda installed somewhere invisible to the naked eye without aid of technology. I ended up coming across this particular report in 2012 because the headline format attracted my attention, which is the default position of one writing a headline. Write it so it can attract attention to the content below. Ask any publisher worth even one grain of salt – or click as this circumstance presents (couldn’t resist the cliche!)
Even without rhetoric abound, the fact that the news networks will broadcast weather reports outside but not one regularly scheduled virus report regarding what might be inside our technology at any given moment chills the growth of awareness as to what phrases such as “If the file looks suspicious…” might actually mean en mass – via the individual end-user making individual determinations as to whether or not they are going to click on a link. Without further outreach as to what steps individuals can choose from when confronted with any of these types of circumstances, 2,700 phishing address may not initially seem like a mega number unto itself, but when this count is attached to this one particular command center having past association with the Russian Business Network, even old-school Rock Phish Gang materials suggest that when major indexes jump by the thousands, if not the hundreds of thousands and yes, even by the millions and billions, current activities may have nothing directly or even indirectly with the current formats or formations being credited to RBN or RPG legacy activities.
So although this particular report holds a suggestion of being outdated through its 2011 stamp, the virus still seems to be in circulation and a search engine presented the option to click or not to click here in 2012. And what will continue to be demanded of tech-based designers might change and alter on the surface, but having a need to ensure at some point there is opportunity to perhaps blockade entry of this particular program is the kind of stuff anti-virus software programs alone cannot address.
End-user habits matter because it is these habits that create the start and finish line of an attempt to manifest something using a piece of technology by a human being.
Very intresting read thank you. I have had an infection of sinowal/ torpig recently and it seems my internet provider blocked my internet. To restore it measures had to be taken on my part. It seems to me we as users of the internet have a very good reason to fear a virus/trojan like this.
It being controlled solely by some russian internet mafia is what makes me wonder. I bet information agency’s world wide would give a leg and a arm for something like this.
Anyways, thank you for the fine article.