Sinowal Trojan So Far Stolen 500,000 Account Details

By Eric Blair
23:51, November 2nd 2008

Findings by security group RSA, which they have posted on their blog, indicated that the Trojan known as Sinowal, or less commonly Torpig and Mebroot, and which has been active since early 2006, has been used by its creators to compromise a massive amount of account information.

RSA reports that it has discovered a data cache containing log-in information for 300,000 bank accounts and 250,000 credit and debit card accounts. All this information has been collected using the Sinowal Trojan by a single criminal group.

A Trojan will plant itself on a user’s computer through a surreptitious link in a website (usually porn or gambling) and, in the case of well-designed ones like Sinowal, will overwrite and launch itself from the hard disk’s master boot record, in order to supersede and avoid detection.

Afterward, Sinowal will wait for to be triggered by the victim accessing a legitimate financial or banking website (RSA contend that this particular Trojan has a list of over 2,700 target websites) into which, by a technique called HTML injection, it adds fields into legitimate financial institutions’ online forms, asking for login information, card PIN numbers and other sensitive data, the sort of data that the company itself would never ask for and usually gives a warning to that effect.

Once collected by Sinowal, the personal data is then passed on up the grapevine so to speak, through a network of compromised computers called a botnet. The bots which form the network in this case act as a dynamic web of proxies, protecting the command & control top of the network from detection.

Finding the C&C would theoretically compromise the entire network; however the people behind Sinowal and other similar malware are constantly redesigning and updating the program, which therefore changes and adapts to counter attempts to dig it out.

This sort of malware is nothing new, but the success of Sinowal is what makes it so noteworthy. Indeed, security researchers seem almost scared of how fast it’s spreading.

''Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006. And in addition to its longevity, Sinowal has also been evolving at a dramatic pace – its rate of attacks spiked upwards from March through September of this year.''

Data compromised by this Trojan affects hundreds of financial institutions worldwide, including the United States, Canada, France, the United Kingdom, China and other places.

The RSA’s anti-fraud command center has contacted law enforcement organizations as well as the affected institutions about their findings. They have, unfortunately, not made public a list of those institutions/individuals whose names appeared in the compromised list.