Sinowal data-stealing trojan has infected half million PCs

Share this article:

The Sinowal trojan, also known and Torpig and Mebroot, has infected more than 500,000 PCs worldwide, according to new information from the RSA Fraud Action Research Lab.

In a blog post on Friday, the lab detailed research findings about the 3-year-old trojan.

They are significant because of the length of the trojan's lifespan and the sheer enormity of the find, Sean Brady, product marketing manager, RSA, told SCMagazineUS.com.

“RSA has never found a repository like this to date,” Brady said.

Dating back as far as 2006, the trojan has captured more than half- million credentials and targeted more than 2,700 different financial service domains worldwide, Brady said.

The more than half-million credentials stolen are nearly split between login and credit card information. About 270,000 banking login credentials, equivalent to usernames and passwords, were stolen worldwide. And some 240,000 credit and debit card numbers and expiration dates were stolen as well, Brady said.

RSA said that originally the trojan had strong ties to the notorious Russian Business Network (RBN) but that appears to be no longer the case.

Brady would not reveal which financial institutions were targeted but said that most were large financial services firms in various locales. Accounts were compromised in North America, Europe, Poland, Spain, the Czech Republic, Germany, the Netherlands, Poland, Italy, the Asia-Pacific region and Latin America, he said.

The trojan is sophisticated and infects victims using drive-by download exploits. Simply visiting one of the vulnerable websites will execute the trojan. The trojan installs code into the PCs' Master Boot Record, making it difficult to detect and extract, Brady said.
 
When a user visits a domain coded as a trigger for the trojan, it executes, injecting HTML on the victim's PC. A new web page or information fields appear, asking the user to input personal information. The information request, such as for Social Security numbers, can be a giveaway, because most banks never just randomly request such data.

The RSA Anti-Fraud Command Center said it is notifying law enforcement and the affected financial institutions about the trojan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.