Security researchers lift the lid on Torpig banking Trojan
300K bank accounts compromised by backdoor code
Security researchers at RSA have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts.
The Sinowell (AKA Torpig) trojan has also lifted email and FTP account login details. Previous attempts to track the source of the Trojan have run into blind alleys.
One popular theory is that the malware authors behind the trojan are in the same gang as the group who ran the infamous Russian Business Network (RBN). RSA's analysis suggests that the authors of Sinowell may have been at least affiliated with the Storm worm gang in the past but are now running the malware through hosting facilities unaffiliated to the RBN.
RSA is in liaison with computer emergency response teams and other appropriate parties in an effort to take down the network controlled by the Sinowell trojan.
The malware, variants of which first appeared in 2006, takes considerable pains to conceal its presence on compromised machines
In addition, the communication infrastructure behind the trojan is sophisticated and well maintained.
"The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers," a posting on the RSA security blog explains.
More details on the malware can be found in a post made by RSA on its security blog here. ®