October 31, 2008

Sinowal data-stealing trojan has infected half million PCs

The Sinowal trojan, also known and Torpig and Mebroot, has infected more than 500,000 PCs worldwide, according to new information from the RSA Fraud Action Research Lab.

In a blog post on Friday, the lab detailed research findings about the 3-year-old trojan.

They are significant because of the length of the trojan's lifespan and the sheer enormity of the find, Sean Brady, product marketing manager, RSA, told SCMagazineUS.com.

“RSA has never found a repository like this to date,” Brady said.

Dating back as far as 2006, the trojan has captured more than half- million credentials and targeted more than 2,700 different financial service domains worldwide, Brady said.

The more than half-million credentials stolen are nearly split between login and credit card information. About 270,000 banking login credentials, equivalent to usernames and passwords, were stolen worldwide. And some 240,000 credit and debit card numbers and expiration dates were stolen as well, Brady said.

RSA said that originally the trojan had strong ties to the notorious Russian Business Network (RBN) but that appears to be no longer the case.

Brady would not reveal which financial institutions were targeted but said that most were large financial services firms in various locales. Accounts were compromised in North America, Europe, Poland, Spain, the Czech Republic, Germany, the Netherlands, Poland, Italy, the Asia-Pacific region and Latin America, he said.

The trojan is sophisticated and infects victims using drive-by download exploits. Simply visiting one of the vulnerable websites will execute the trojan. The trojan installs code into the PCs' Master Boot Record, making it difficult to detect and extract, Brady said.
 
When a user visits a domain coded as a trigger for the trojan, it executes, injecting HTML on the victim's PC. A new web page or information fields appear, asking the user to input personal information. The information request, such as for Social Security numbers, can be a giveaway, because most banks never just randomly request such data.

The RSA Anti-Fraud Command Center said it is notifying law enforcement and the affected financial institutions about the trojan.

Related Articles
Related Topics

Sign up to our newsletters

More in News

Bitcoin mining botnet has become one of the most prevalent cyber threats

Fortinet researchers have tracked 100,000 new ZeroAccess trojan infections per week, making the botnet very lucrative to its owners.

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.