The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.
We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.
Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. There is generally more known about the sources of other Trojans. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN.
So, why is Sinowal one of the most serious threats to anyone with an Internet connection?
Simply put, Sinowal infects victims’ computers without even an inkling of a trace. The criminals behind Sinowal have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years. In addition, the stolen data has been methodically organized within a well-organized repository. Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan.
Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006. And in addition to its longevity, Sinowal has also been evolving at a dramatic pace – its rate of attacks spiked upwards from March through September of this year.
The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers. This diagram (see below) shows the rate at which the creators of the Sinowal Trojan have been creating new variants.
Our findings on how Sinowal operates
Like other Trojans, Sinowal uses an HTML injection feature that effectively injects new Web pages or information fields into the affected victim’s Internet browser – and these injections seem like legitimate pages to the victim. Just as an example, Sinowal can falsely prompt an unsuspecting victim for personal information such as a social security number and other details which their bank previously pledged to never request be provided online. Even though a prompt like this is not a novel approach to stealing credentials and other information – what struck us the most was the amount of URL "triggers" that cause Sinowal to actually launch this prompt and other functions: Sinowal is triggered by more than 2,700 specific URLs, which means that this Trojan quickly moves into action when users access the websites of what are now hundreds of financial institutions worldwide.
The sheer volume of data stolen by Sinowal is extraordinary
Just a single Trojan, operated by just one group of fraudsters, has been able to infect hundreds of thousands of computers, compromising and stealing information from their users’ accounts.
The compromised data belongs to customers of hundreds of financial institutions within many regions of the world. We have seen affected financial institutions within North America (both the United States and Canada), Europe (United Kingdom, France, Spain, Germany, the Netherlands, Italy and others), Asia Pacific (Australia, China, Malaysia, and others) as well as some countries in Latin America. However, we found that no Russian accounts were compromised by Sinowal.
In the past six months alone, the Sinowal Trojan has compromised and stolen login credentials and other information of more than 100,000 online bank accounts. This diagram (see below) shows the rate at which Sinowal has been compromising online bank accounts
The RSA FraudAction Research Lab, in conjunction with the RSA Anti-Fraud Command Center, is currently in the process of sharing its findings with the appropriate parties. We have disseminated large amounts of compromised data to some affected financial institutions. We have also contacted several law enforcement agencies to inform them of our findings.