Feeds

Undetectable data-stealing trojan nabs 500,000 virtual wallets

Sinowal's evil genius

Secure remote control for conventional and virtual desktops

A well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. It was unearthed by researchers at RSA's FraudAction Research Lab. They say the program, which is also known as Torpig and Mebroot, has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," RSA researchers wrote.

What's more, Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.

In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials.

Sinowal is impressive for other reasons as well. Unlike many trojans, it doesn't rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple's QuickTime media player.

"This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed," Sean Brady, manager of identity protection at RSA, said in an interview.

It then hides itself on a computer's master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

Brady said RSA has shared the data it discovered with affected banks in the hopes they will notify customers who are infected.

Sinowal sits dormant on a machine until a user points a browser at the website of a bank or other financial institution. Then an HTML injection engine adds fields to the website's login page that prompt victims to enter social security numbers, passwords, and other credentials. Once entered, the information is transmitted to a server under the control of the malware authors. The injection mechanism is triggered by more than 2,700 different web addresses.

Little is known about the group responsible for Sinowal, but at least one clue suggests the group has ties to Russia: While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.