Sinowal Distribution on the Rise

Security researchers are tracking a new spike in activity around the distribution of the long-running Sinowal (aka Torpig) Trojan attack, with most of the sightings tied to infected Web sites.

Researchers at SophosLabs reported a noticeable increase in the sheer volume of Sinowal-infecting URLs that it has observed in recent weeks, as Trojans continue to dominate the malware landscape in general.

However, staying ever-committed to its stealth model, the overall number of sites being used to pass along the Trojan is relatively small in comparison to other attacks.

The sparing use of Sinowal appears to be reflective of the growing trend among malware distributors to be more selective in using some of their more effective attacks and botnets, rather than running at full speed and drawing more interest from the security community.

The volume of sites used in Sinowal propagation have always been able to operate in a relatively “sub-radar” fashion, the researchers noted. Unlike the recent spate of more high-profile attacks including Gumblar and Nineball the people behind Sinowal seem content to let it maintain a more fixed presence.

The experts said that current iterations of Sinowal, which typically redirects users’ browsers to malicious content, work with even greater “finesse” than earlier versions. As always, the attack’s endgame is to subsequently infect end users with bank credential thieving malware.

Today’s Sinowal scripts carry an onboard algorithm to modify themselves on a daily basis and are being seen in several variants including an iframe attack, a domain redirection driven by the date it is delivered on, and a variation on the domain redirection that feeds on data in a users’ browser downloaded via the Twitter social networking service.

The inclusion of the Twitter code highlights the manner in which Sinowal’s backers are shifting their attack patterns to tap into now techniques even as they maintain their “slow and low” distribution schemes, with the wrinkle showing up more and more frequently on SophosLabs’ radar.

Specifically, when a Sinowal site is rendered in a browser, the attack script finds and absorbs publicly available search trend data saved from Twitter and uses the information as part of its domain generation algorithm.

Smarter attacks that run slow and low. It’s not a new pattern, but it’s certainly becoming more evident.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.