Sinowal data-stealing trojan has infected half million PCs

Share this article:

The Sinowal trojan, also known and Torpig and Mebroot, has infected more than 500,000 PCs worldwide, according to new information from the RSA Fraud Action Research Lab.

In a blog post on Friday, the lab detailed research findings about the 3-year-old trojan.

They are significant because of the length of the trojan's lifespan and the sheer enormity of the find, Sean Brady, product marketing manager, RSA, told SCMagazineUS.com.

“RSA has never found a repository like this to date,” Brady said.

Dating back as far as 2006, the trojan has captured more than half- million credentials and targeted more than 2,700 different financial service domains worldwide, Brady said.

The more than half-million credentials stolen are nearly split between login and credit card information. About 270,000 banking login credentials, equivalent to usernames and passwords, were stolen worldwide. And some 240,000 credit and debit card numbers and expiration dates were stolen as well, Brady said.

RSA said that originally the trojan had strong ties to the notorious Russian Business Network (RBN) but that appears to be no longer the case.

Brady would not reveal which financial institutions were targeted but said that most were large financial services firms in various locales. Accounts were compromised in North America, Europe, Poland, Spain, the Czech Republic, Germany, the Netherlands, Poland, Italy, the Asia-Pacific region and Latin America, he said.

The trojan is sophisticated and infects victims using drive-by download exploits. Simply visiting one of the vulnerable websites will execute the trojan. The trojan installs code into the PCs' Master Boot Record, making it difficult to detect and extract, Brady said.
 
When a user visits a domain coded as a trigger for the trojan, it executes, injecting HTML on the victim's PC. A new web page or information fields appear, asking the user to input personal information. The information request, such as for Social Security numbers, can be a giveaway, because most banks never just randomly request such data.

The RSA Anti-Fraud Command Center said it is notifying law enforcement and the affected financial institutions about the trojan.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.