Keeping an Eye Out for the Sinowal Trojan

RSA, EMC's security division, reported last week that its researchers found a treasure trove of financial data stolen by the Sinowal Trojan. Here is more background on the Trojan and RSA's findings.

After eWEEK published the initial story last week about RSA finding a cache of data stolen by the Sinowal Trojan, several readers requested additional information.

Here is a little more background on the Trojan, RSA's findings and links to more information. Also identified as Torpig and Mebroot, Sinowal has rootkit elements that infect the Master Boot Record and allow it to hide. The Trojan has many variants, some of which are detectable by traditional anti-virus companies such as Symantec and McAfee. However, the number of variants and their low distribution volumes make it difficult for security vendors to keep track of the latest variants.

For the past six months, RSA has observed at least 60 variants of the Trojan each month. A recent variant, submitted Oct. 21 to Virustotal, was detected by less than 30 percent of the 35 security vendors given the file.

RSA investigators found nearly 300,000 online banking account credentials, as well as a roughly equal number of credit and debit account numbers and associated personal information. The cache of data represents bounty collected from Sinowal's victims as far back as February 2006.

"An analysis of the Sinowal Trojan itself identified a road map leading to the location commonly known as the drop zone, a point where Trojans send their stolen information," said Sean Brady, manager of identity protection at RSA, EMC's security division. "The drop zone itself was publicly exposed to the Internet, where the RSA FraudAction Research Lab was able to address the database and recover the credentials."

Vulnerabilities are fading from the threat foreground. Read more here.

Once downloaded, Sinowal uses an HTML injection feature to inject new Web pages or information fields into the victim's Web browser. When a user tries to visit one of 2,700 financial service domains, the fake site pops up instead and prompts the user for log-in or financial information. Detected variants target Windows 2000, XP, Vista and Windows Server 2003, according to various security vendors.

"The best initial line of defense is to maintain an up-to-date anti-virus solution on your PC and use it to run a full system scan," Brady advised. "However, the Sinowal Trojan can be challenging to detect once it is installed locally, since it uses rootkit techniques designed to evade detection."

Brady recommended that users keep an eye out for changes to Web sites they normally visit. For example, a prompt for personal information or for the user to download files in order to view a video could be a tip-off.

"Knowing that their financial institutions should never randomly request personal information online, such as log-in credentials or Social Security numbers, [can be a defense]," he said.

For those looking for a list of financial institutions, RSA has chosen not to publicize them, citing privacy and security. However, RSA officials said they have reached out to affected institutions as well as law enforcement.