Sinowal data-stealing trojan has infected half million PCs

Share this article:

The Sinowal trojan, also known and Torpig and Mebroot, has infected more than 500,000 PCs worldwide, according to new information from the RSA Fraud Action Research Lab.

In a blog post on Friday, the lab detailed research findings about the 3-year-old trojan.

They are significant because of the length of the trojan's lifespan and the sheer enormity of the find, Sean Brady, product marketing manager, RSA, told

“RSA has never found a repository like this to date,” Brady said.

Dating back as far as 2006, the trojan has captured more than half- million credentials and targeted more than 2,700 different financial service domains worldwide, Brady said.

The more than half-million credentials stolen are nearly split between login and credit card information. About 270,000 banking login credentials, equivalent to usernames and passwords, were stolen worldwide. And some 240,000 credit and debit card numbers and expiration dates were stolen as well, Brady said.

RSA said that originally the trojan had strong ties to the notorious Russian Business Network (RBN) but that appears to be no longer the case.

Brady would not reveal which financial institutions were targeted but said that most were large financial services firms in various locales. Accounts were compromised in North America, Europe, Poland, Spain, the Czech Republic, Germany, the Netherlands, Poland, Italy, the Asia-Pacific region and Latin America, he said.

The trojan is sophisticated and infects victims using drive-by download exploits. Simply visiting one of the vulnerable websites will execute the trojan. The trojan installs code into the PCs' Master Boot Record, making it difficult to detect and extract, Brady said.
When a user visits a domain coded as a trigger for the trojan, it executes, injecting HTML on the victim's PC. A new web page or information fields appear, asking the user to input personal information. The information request, such as for Social Security numbers, can be a giveaway, because most banks never just randomly request such data.

The RSA Anti-Fraud Command Center said it is notifying law enforcement and the affected financial institutions about the trojan.

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.