|
|
|
Keeping an Eye Out for the Sinowal Trojan
By: Brian Prince
2008-11-03
Article Rating:  / 17
There are 10 user comments on this Network Security & Hardware story.
RSA, EMC's security division, reported last week that its researchers found a treasure trove of financial data stolen by the Sinowal Trojan. Here is more background on the Trojan and RSA's findings.After eWEEK published the initial story last week about RSA
finding a cache of data stolen by the Sinowal
Trojan, several readers requested additional information.
Here is a little more background on the Trojan, RSA's
findings and links
to more information. Also identified as Torpig and Mebroot, Sinowal has
rootkit elements that infect the Master Boot Record and allow it to hide.
The Trojan has many variants, some of which are detectable by traditional
anti-virus companies such as Symantec and McAfee. However, the number of
variants and their low distribution volumes make it difficult for security
vendors to keep track of the latest variants.
For the past six months, RSA has observed
at least 60 variants of the Trojan each month. A recent variant, submitted Oct.
21 to Virustotal, was detected by less than 30 percent of the 35 security
vendors given the file.
RSA investigators found nearly 300,000
online banking account credentials, as well as a roughly equal number of credit
and debit account numbers and associated personal information. The cache of
data represents bounty collected from Sinowals victims as far back as February
2006.
An analysis of the Sinowal Trojan itself identified a road map leading to
the location commonly known as the drop zone, a point where Trojans send their
stolen information, said Sean Brady, manager of identity protection at RSA,
EMCs security division. The drop zone
itself was publicly exposed to the Internet, where the RSA
FraudAction Research Lab was able to address the database and recover the
credentials.
Once downloaded, Sinowal uses an HTML injection feature to inject new Web
pages or information fields into the victims Web browser. When a user tries to
visit one of 2,700 financial service domains, the fake site pops up instead and
prompts the user for log-in or financial information. Detected variants target
Windows 2000, XP, Vista and Windows Server 2003,
according to various security vendors.
The best initial line of defense is to maintain an up-to-date anti-virus
solution on your PC and use it to run a full system scan, Brady advised.
However, the Sinowal Trojan can be challenging to detect once it is installed
locally, since it uses rootkit techniques designed to evade detection.
Brady recommended that users keep an eye out for changes to Web sites they
normally visit. For example, a prompt for personal information or for the user
to download files in order to view a video could be a tip-off.
Knowing that their financial institutions should never randomly request
personal information online, such as log-in credentials or Social Security
numbers, [can be a defense], he said.
For those looking for a list of financial institutions, RSA
has chosen not to publicize them, citing privacy and security. However, RSA
officials said they have reached out to affected institutions as well as
law enforcement.
| | Reader Comments: Keeping an Eye Out for the Sinowal Trojan | | >>> Post your comment now!
| | | | | | | | Secure bankingOne way to improve your on-line banking security is to choose a bank that will provide two-factor authentication. E*Trade, for example, will supply a... Posted At: 11-08-08
By: A Hewitt | | | | | | How many years ago was that?I have used openSuSE for for years, and it never 'required' me to use a command line. And there are places you need to use command line in Windows... Posted At: 11-07-08
By: John Bowling | | | | | | RE: Multifactor AuthenticationWhile it is a start to better FI web security, it is also flawed. I believe that at a Black Hat conference shortly after the FFIEC deadline for... Posted At: 11-06-08
By: Graph-X | | | | | | MoveI moved to UBUNTU 4 years ago no more problems,I'm not very literate with computers so someone set up my system. It was much better than windows 98... Posted At: 11-05-08
By: Rod | | | | | | A user comment on this articleI've never had to rebuild my Windows kernel. I've never had to resort to command-line to install applications or drivers. So your easier-to-use... Posted At: 11-05-08
By: Rick | | | | | | One obvious solutionThe obvious solution to this (and countless other) threats is to quit using products, or at least operative systems (i.e. Windows), from... Posted At: 11-05-08
By: Anonymous | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������xr۸(;wh�kLH)ٖcؖē c")|�W%3n�BKd2{ǩ$�4Fwh4�y$s[��֘\ÙIIvj�{��Π^HR}g͛އ{cOj�UQ!}�RQ2d@Ms�@
�}8�u�[̀Z>u3u��ۀp�a,[YÃ��[��#�(K&�OVkLs�lL1dl�uscc3�f��E��{5h{=D@��;s2�"&�?$}��NM[�ȓ�-C�Xy>h�҂_d�!gBBm׀�{K}heH%�۹ߝq@ؒ:I4h�m�b#"b�=0A�"�����۴]�RJ�V3ҧ ]C7[G]c��8.�S/b@Rhf`R�o!1dF=�X�kz>4<�{'s��a�]dU~�j7k_�]{f
�5w',7Q7��T96'`>6CݛP�x>Ґ�lW
E&.�2ؖCYև=�m`�ۜE}y`V5X<*R͗��pPމ"{�iX��2
AyιRR5MQ�.:��]o-�xu]k�0��v}%Or~@α�[A~Nw"
DT.恈jWq"0h>�L,hxZn�HutTᕒnXwjFp��$Ju��1;Q$>hI#F/XTU9@b9j5'ym^_]:Mm��]H>߉ecby�1岦�=�B�J{3Bz3�[-:nNOn/9nZ'�9m_qٞNt8��,O*mup}�6Oy5H{䎺�5T�0��RR<;$�OWM2ǣ1H|? {qN��麺�(-tS�3}>gc{-? ,��Gɏ
aU
x}�CJs1$SE@[,�tje�t0fy�P���xݬ Շ7|��S�K?3㮖9�j�\K]0�Aa)#8?�݅I��pJq�䠊=ذ�6�,%�w5/�,|i�*
b�Z9nPW)Y�SAEE7CD� raT�B(:�PHQ��~�(ll{@W!gfyY(%YWfΆ"=-(]�O \/;m|hv:MxHn�t�RMM�qsuS\uʥHu=Z�9�j�
*�R=(b�(WZdt�Z2h� bXvP�ґ>39�fB054SO*~ҡ1ež�#<2h:mX�5냉A��hnV��H�Xxȿ]�c�_g&v�/�T1�|)ZF;��=H:}n��ٮ��J-ۃ&�7?��
;
K`pm�&;�hk
-rD9+wCR_@b�L��DI=o�v�ڡπYt�ʺ퓁>($@=�>0����t~�7LP���g�JC-�o[r%Fa��A&K)+P��MPԤv9��B��B
!L��0 o��V�(f䎄Ћb!��l�bq !s{lbX@=7 >*%�qR�Sٜ�(,%1M&�ńHVFNH�!t�P��@W)!�2�j0�}UYcu1
:̑:L:%\[Ķ`漇�d:Nk'`l7?>{@O
\n�G`O3_iy>epG6
�� �E h�B=Us��� �AryͪX� 4)|ƓBw3cfcVʜt�U&Fn�(kJ���>�q?�JL{Q\O&ŕ8�)�|Њ'N6ec�pjlYo%,J?յ�0z1(�a]k%���$7�Bʶd/^[``֩E]Q\RMPD@BR)I�
aY�*^(t�xNLqעA\8=�=�Wc���(
UMΫr
o�md4*EM�ثX5l�d
�xA�qF�F2`@D}a�&�$�ëY�=��mO�On&�>`r��f.�G1�`;�ۋppBa e@֨Ԋ�LL�aqA�|Oƅ/Љm%�|w0tl�_�|�8/-�;ua[lHs7c4JGuI8`
�D>2�F��ÑaHu0�՝IB̫EU�&-АRQɫjy�c
�ؑq,�Yr�i�T*{d}�>QȺ5'+JqЦ�Ʌa|@s@Mn��N>uW3pPVK@��BN�Mu˗�-�^̣nkX�*
��k@cTe2fj
T_lP-xocJ�D%hWR&�4j�@�&�mgH�ڸ��)apFL`^��\�|<� B
�K'"R*cE�c�Ö�YCÖW�۔Є��r[и3nA6|�K>:N-',ۨ�hXeH]
ˏ͎@GOe�Xc?��!=épw\pR+ �
Cå�zo�~Ɋh1�s'خ� �mpF=1]�t�C��HQ�`F߳,4�� ��`Mh_�s�
hj_�RU�#���4T# �i�>�vo��(f�4f}B[�
`}I
|*O!.B���ڛsmhzh2�
QB�X5TAMStPcu�5U)�T*{2g���{�֒68F��)dzDG+=qbk
��Nut�8&�ʳN6nIQ��y�50�>OiXϿ,h`CFb�*T~��\<�
gg\a-ߺ{�
lO>=b��52?>`=�Эt;Gv'�ܲ-&o�#td�P���L�̞�
u�d��h912�?�(vP�J`Y`����c�䶷TJ0�Č�JQ)zV�EZ1*�c�^f.c��V�!Vȵf7"�IE|�@T��EM*_(jQ�z,`we$#E{Zs%{h�Kg K=_lXC�=B��(4ם7. �f13ekfaI39�`�{qK$#��3�C>�U�T :"iJ^R+0Ӂ:tOl~f�d�[�
� ��$qy%QUi�ja{q6�~'\I4u=;$yS/iu��ag=3WNj_����f*9kޟu8�Rt�v\\#-0MC�~Z'_�IJ`uԺho0.[L4Jj2�i&A*$�RýW%.Fm̀�o{)g�lUu^eXoonpy# sGxG"Gn}!\4߷.K5?W%˦�ou�۾����܉�, Y#tB�7� ǧ�5�fpg^�aԃc��gҝa3+vH[!Br_'kN,8;XS!�m۪1�>�٠4�Tvq8aV(mZ|=`��Rȴ���
P�)|z�&I�[�)uYj�2)�M:6�p�*|L(kk'qZV㼞�6X(��4%�4T^ҌO"CYF*$]7'�ҹj\np�P��poS6�Pu~뺱�Iyp492i��%(5�nq�L��>ڢG -&GHuT䵸�
f[YgUO~D��C�6��OY=` !9˩�Bn�MȩzpPu{j�̥e
rDa:n;��[�@(N�Vu2k-/(�
,&��]wOz�_,zόEoIU2�хɘ�K��6^Y�Ms>�ͥ}0i�[P�;?�/P.T-s)c�ڎX�6�l+¿5BqhOu.I\qm^�arԄs $JAty9wjv^X�T�|eFh>HP�cݷݜ88!�[iv�V3W)-h�tf?_?J_Rvo'ٺ�<--84�Ǡ}��R#ۉ1$�$ZNk]_,*s攤ˎdv£ȄWN��HF�b�@Ɍ7�Kҁ[�-�3H�ͬ�Gv��nkc�#��٥~f .^-˸a���]f+�2�w}�k-R"9.q
Ԉ@�j,kqR<^^(R�䐼D�G7�Y"Y!0�Nñؤ]Gwk
?ƈ5'Ⱦ}�4ىǣykyc�,dz��AX9
w>V�g'8><��O�ġF�e5w#�c�'gcc3/��F%%wgx�yS˰gf6A
jl��wBqeV0p>-�8\}5�߈:6"YcCƓd_cz��s2i��p9[��������o�j{\n�n�A_e]�3V,-Ĩe?1,_�g��N
�Viqn
d]��]Z^y@ΊUr;7�K�&?B�ݽUoY@8z熼wE���ft�/"h���FC� �Ѩ ^>�)`ײF�KC�9YJqļǍ#"wH:g;���:�b7pl��4F"I0/�D7Mj!\����o�{p9�0H&p֙ 1zvmP�AeHVwb�fl�k�3:z�K�Np�:);zh�Y�!9��n2F �LOL骚�I0�z��7(�Ÿ͑�?Nd ^TC8AWAgRul R^!Ӫ��2PQ
[9��)
�.k���Çb�B#*aޚF�i1OvZ�ۀy�]az�n�vwSRcۄrX(`xGDx�!b�e�?mA(2�)v��m�)WQًDJZ��!!c ˸0uH)#c"c*eyLDP��}1F!$�c�aԓu~�"98O/�+0pblp~t_t(�ԇ^sCzc���dd���!-(3^rւ7Wj�U+'M�5]=N�$i�AŤ�R0!�P^Kv6�EǧOR-so8ԓt�# �'vba��C@:uԝ3�CʂYŘ#8�'�pЄ&��h `�8W)�BCd,{`2MIeo�U!?�3X ʧ8[ŃJ�??Bڋ��ҕR�З5-Fg^0,A>j)t1!G8,a�E���EX��m[tyޭ瀑OeSɿ8\w�TjbR�֨�[�=U!xާ.%p-fJM=KZ|PRS ��P�0 �+`�2�-z&v�<��ܒ�mL�'B � Q-!vV�pz4mNHra9`I�!�8o6vM{Y0VTR�7өD8rLm�m7:Ʒ�Kͩn��I7gG홏6l&�L�J�8����WP��`eDTFXeȎ2l=͉~�}=4��|>�t_ʃ�?S�h`0>9>L&"ɶ@10��J!m
2ԁf%12Gv�@' ج�s8o] ^iSZ+�J�-/t��Hls6ҿfSǓ
"���>i�2� L�d�߬d|��l��$m�.f�k��Hp�@Oݖݖݖݖm�-9W/oRfhAs:3~}+cuR{K`@=o43%=�C�%`ĥf1,L|w�rcSD�G"x<�~a4pL by"VO.!e
aI9Emi
��$$BB �zʠa�(!>$*��[O,.}5¦]�za/p_\a*�_Bs}�|Ҹ�F6[O�ٮtB#G躂9�H7K/]0��ܝ8X�Elqv�˫mA<�UBؐ�_h�=[�%|�C9aYr)Q6D·&r6pX(ۆ\|An�n���iZ�t��J;\E{R�>u]��HL�P�].k8D�I��D �"*.۶v̫kA< Cg�ސ^&J,OᙺAcO% u% *^�� �G�-_v�x
G~E;�A%6Mc̶�p���\�K�4��ql,!�9Ey&/�fMx}s[/[/[/[/qeIhoz=�52v
{q'n�'ݎ �&`$,�+~*¯5>A.
�L@Tأ`7[���`᪃"Е�:�^�C�Y%8�Ü%�� �#"�{aw�f�,�3Eݗt�GCg�
z��X$E@l�aqD��`_H�/��OA@ 2{��>Q�SǴ�ʆ2#)vǺ%9]V�4ADO�=͓勃H��OA|m�cl�7@�33|*R+�jz¢�+KXY�e]IJ�lh�x!}jQA91�+j; ga��2I�㌲R-�Db�ӣs��q�a-U6(`�xQ�;.C;_t
ֈtj���ZX�۴sXC:<� @�7xqv�o]dE-�i�GO;4Sױ�m�uvf�oE�h�d�[
hd�%?�pW\=rUWS�&\x-!p ��lB�O=?[qzf5��_� knzq�d����d��ڐKs3"}|6-eX�`|J0���
c
�CJ0W-*|��ȲhKk饱g9N;�\m/-E�c9Zz?ceNN;MhK݇�バ#I�ЬE5�fX�k+%"Q0Mg`
8eY@�Q[b�,����zr�-��gP1|�A]�|',%/^n"6j�8rmQn~k ţkhg!P7X���ǜa��TOoQ'�cݕڻra�k )�06${U"�gY�Pm
�MP�ì?̠z}䷿PGmdQVSzd2QOB�Q
Q�?섷�cn�v{a_aR
'��;�"
�T��G@M>?t|�x�*nNG@ Mj�of\~��AI��5g#�Ohx
QY�P{䏅D'n�.qI��u,¶a��/ Ȱx_
sl(OTiRW㇝�'|;esK�(aǜ�ccW�F�=�%p�=S? ,Q)YEε�D>7?
#uTYS[̉��T,p�7�*�9��E NE��7&<�Xx%�X0�"/24�e{(p#(<$oݩn.u=���Թh*b4�
++5m1RU�9�z�%o�Rk�KN
d�c�!;[#�ees�0R�5p�^�\U�B�(-?��1
�{�GgC~^ULx"y��?��3=�߶MzXUĮ�{�̴u5fI<6߅�WcXz�j��Qx@�O@L9B�H �Ҵ$�w�L}�P�coI^P>�g! :n^/UGB;{t Q�h�:��h5
Ba�.=$w�{�̤�7b?< nlN��9=ǝ�<�a-Xnh@*>In�$%�H@#] �YC�`�xL>(zhM6;ha�H�7<6� Yc�T�7�C79aN�:� #D`�Cb_¼"�#�O=�x7#lɮ�Ll<�jw}ٛ0>?�pБ`�"'r)s�j͛�ח�@ɣ�#uB~�}π
,nZI�� れF ��<"m�]?;�<1%�&9a� kE$750�ޏۈ$1�Q�""1aX�sfĘ8c�>n]16Fq['` �6B�;b<1#\.G�+�Σo��X\�htM\���"@H��>S�|נ�Ѡ=?~��e�ԉM)As��V��|+f�K)'6h`��̃2Eܹ�ez?>u~~2?;5:!����>w5Kv��:^stT++ʾ��<z0u39Ỵ2us
\bH�NK�*$&Ѕ8�h,.@"!��9͉
�k�%}�;X�zgb�<� �>܃�Rh̘TԲR��*uE=%�2,�c-Vb0n_}>m]6[Lpa&FoDY繾XQ(�3{Y��qdzʌPN�-Ks!Yx�9K��x��< /�EL�qx*0Уn͟n{�D0/ڲ�& ^��&6uұ�p�ZϏxu3����֣&��7n���Z
(C)stXn�̈́�!Bv.i_63@bE9yJ�H�~
ӏ�@6SґһO��'͔cH?^~
9M{h��ק2I:IIRڇeJ:�LC'%3^~�SlWH��EJ/�E�|E
~/�?�)_�">/>/R�y2 SJ��~��)0){ s?0~)׆S�N?m/�r�qB�WP*5u
tww)�]�c
}}OiпO)��HIK�I�&��u2�Az#�Wpz~=�9JI/fG)R,H+_�~JK%iJ�ȳ�)�+z;^KJs);%_'KQ\H�uu>+ƥ&W�*WiKxM}%+(p�[N�R}ח:
e|*�,XW&���U48,1X!4�fmYyiRZi-ϞL}T85Ϙ::R����7`�%I1zI�����6yC�>fp�OߨBGcn`'~��4@}��:HƙRA
j�~r\TؑI�0l��}!}:$&T?8`ϴ�X���et(��B�T|OӰW Y7c�y�a8b�nk�]�"Z%��<@
.�Dp|��c�AVW��/��&X8M5(V�"�;�o�)HG�sPscaQr�_!�?g���yO#X����.LEUzqt;ī68��,^bY\s�`�j�[%cH�$QEy�dHX$G�뽳@]f�I^>�L=q{IJmE��}!rE:7�+JL=X�}�np��]�&�$/�]މ�nǍac�wU�DʃϮ0`"atmS!I�U7�6�R?*Y��BȴS��z�F{"eu%�ar�17��P(���lt� !"q0v=K*_l�xdHا@^B_�v�zǞ]>}P.Q�5sE�Eב�E$*J =˵
L�;Ʉp5ґе-��F=v4½0!4: GB �>�,�n]1R:�Bݺ"�ۜ �e�ƀ!W�[��E/=�"��c��%|�Vi~jF߮e�gg_5�b
Gy*"5@tgQlVxRLN�5m�czl0)�y+�9�Kن��0U7�VAx+Դx*�D|J�BO/�Ch9�WpeC�gARD~sJ]&*P�=eZ�[m�v,8%^z+;qk=G}c[Ve�Ʉ�!lY\8#eI�.~;��T�)V��Xw|6(6؋|%K'
Ͻy��HjuO)4��FI
cQ'11?��j;;5,�/[6�N�V88ڶR�KA=0
Ok�e`[b ��K"OC�2����n=ձ]w�
�O 7G=F�rx{Kkڇt�G��U`7'#�~,�3V���œC:i?C3 �V]=7a$�Ts��ZQdERb0��yNvC}�ޟ�2"��)T� �Ԥ?OkS{�)+]�,6AƂ=�vL6&9~Sud@Drg˫@xGm<"^<:yL㎮�E;"��fu�ݎY4JW<-s�]Kl��CcmR>FK
]f'[٦2�й=-}b/���i[m�t*}�Xc �0,*0�9G�[Vmx4۸�� �y�u+y!JO�0�� �ɟ]챺WQڶ�7(Ga#�"öuTM���eщ��oމ�qݼg"ö,��rKȆfaT�xq;3�h__90�|:,�l�p+>oc�7Ϗp�``2�u/z�NN70Nm+Lȏ,,�H[Ze']Z�.hr��E"
ء~1#m��j��#fx�Y1[�R?g��n~ӥ�f;����]Y,L�?lB�c9`d�r��"0_o��>A��D5̱�H`,�ӊ�Hv"V䜔KLΡnlpR!%f�F �#5P&X�2mn-ůB@:� �Z~ƓC�|撟�元>�GNxN=�Sf}+s)SL_ћ�]̑?1�[5>|E�m֠g���x{䏝7ƈFoo�!��8ݽ*$G|�^e�^*��xzdK-�+/��&2&�B�$`�XA_2����(c>�H�UGVX�!�c�ۃf'J�
�b���_�-#�h[�tЃ�f@컘Ө)U�9~XjK4��3 v';ťwZ-K{���9bF��[�, yiW5M[lmiu %hvL5�G�)���"�eZ[+|aW�h.Qx�7�s�R)RS�`0[�T{�P-Im �r,Z|+*(
7=�u/9Ĕc0��ŮvO�a>@)�p͗xTe�|yl翿496nfy=O˃��6*q�O�&j`cw�<�M���h«�Vl${�B�d�<�ػsЫ8,yޅGXS˧0�Co
XLC尜�챣�
i,wpƑ2>;A�>�ϊ{!CO�È,}
�hJ�`�J�w[��(8Rp
,!��M�I`
;%0ұi{4�iXwd4]>��T�O�.a;�4}m#,ʔO=�k�<�\}-�ق&ٷ
Ӑ}ٕN��χ�W�SB:�zU�oP)a�0Ur�%4[Ϻ+Ä#L�x8D
2Hs["O� >a�''x�:2k~}��jHh�ܕ zG.�Txg8@Vʱh"$2o5XcL!
p3��kɁR1nh�! #�C�|}̆uJþBo?!VnD!f
)}S9�E: ?fVM8�'��]�͆[l?E�WXh�/x� ?��
|
Network Security & Hardware 
