One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts

Is this type of attack only windows-specific or did you also observe successful attacks on users with OSX and Linux operating systems?

You can find this information from leading anti-virus companies, and you might want to note that various anti-virus companies use different names for this Trojan, so you may wish to search for "Mebroot" or "Torpig" in addition to "Sinowal".

Does this only work on Windows (the usual suspect), or can Mac OS X (earlier versions?), or any Linux distros also be affected. How do you know the full extent of infection and numbers affected? Have you traced the calls home from infected PC's?

Affected operating systems: You can find this information from leading anti-virus companies, and you might want to note that various anti-virus companies use different names for this Trojan, so you may wish to search for "Mebroot" or "Torpig" in addition to "Sinowal".

Affected financial institutions and individuals: We have seen the Sinowal Trojan reach over 27 countries to date. Regarding "numbers affected", we appreciate your question, but we cannot provide any information of this nature because it is critically important that we protect the privacy and security of the affected financial institutions and their customers.

Traced calls: Thank you for this question, but unfortunately we cannot answer as we must protect our anti-fraud fighting methodologies.

It's great that you're contacting the institutions targeted by this, but in reality they're not targeted so much as their clients are.

So, how can end-users determine whether their machines are infected? It would be nice to know whether I need to get started reformatting my MBR as opposed to (maybe) continuing to divulge sensitive information.

The best initial line of defense is to maintain an up-to-date anti-virus solution on your PC and use it to run a full system scan. If Sinowal is believed to be installed on a user's PC, we recommend following the specific steps provided by leading anti-virus providers. However, the Sinowal Trojan can be challenging to detect once it is installed locally since it uses rootkit techniques designed to evade detection.

The Sinowal variant used HTML injection to add fields to web pages in order to lure end users to provide personal information which resulted in account compromise. Awareness to the sensitivity of sharing personal information can be the first line of defense against any Trojan like this. For example, users can help be better protected by spotting unusual changes to their regularly visited websites, such as those that prompt for personal information, or those that request new actions such as downloading files in order to view a video. Financial institutions should never randomly request personal information online, such as login credentials or social security numbers.

It would be a great service to everyone to know which banks and institutions have accounts that have been affected by this Trojan. I have seen several reports regarding Sinowal and have yet to see mentioned even one institution named. Similarly, I have not seen any follow-on reporting of actual cases of fraud and theft associated with this - if it is possible to quantize an estimate of stolen account incidents, it must certainly be possible to be more forthcoming regarding the specifics associated with these estimates. It would certainly be in the public's best interest to share this information, don't you think?

Thank you for sharing your questions and concerns, but we cannot provide any information of this nature because it is critically important that we protect the privacy and security of the affected institutions and their customers.

This trojan uses 2 parts according to the article; web injection and a rootkit. mwbrootkit is a Master Boot Record infection of Windows that gets in to Windows via the normal Windows-stupid architecture flaws. I'm a linux and Mac user so I don't care about this c**p. It also seems like the sinowal/torpig portion is Windows specific too.

It's hard to determine because the Anti-virus folks in the world want everyone to think that Trojans and virii effect the internet as a whole; which is a lie because it's a Window's problem.

I've seen reports of 200,000 and 300,000 and even 500,000 accounts compromised. Seems awfully like hype to me. The Anti-Virus industry needs to keep fear up so people listen to the lame marketing they engage in.

Leading anti-virus vendors have indicated that the Sinowal Trojan is specific to Windows operating environments. It's important to note that we're a research group within RSA, and the analysis of the data contained in the Sinowal drop zone clearly demonstrated the existance of more than 500,000 unique credentials, including online banking and credit card information. This information appears to have been extracted from more than 300,000 unique infected PCs, representing approximately 2,700 unique domain names. It is apparent this particular Trojan was wide-spread in its targets and infection, based solely on the extracted data. RSA has not made any inferences about other Trojans within the research published last week.

However, we do hope discoveries such as this can highlight to the everyday user that Trojans do exist and good Internet browsing habits are valuable to all. Awareness to the sensitivity of sharing personal information can be the first line of defense against any Trojan like this. For example, users can help be better protected by spotting unusual changes to their regularly visited websites, such as those that prompt for personal information, or those that request new actions such as downloading files in order to view a video. Users would also benefit by knowing that their financial institutions should never randomly request personal information online, such as login credentials or social security numbers.

I (Peter Kleissner, Software Engineer / Malware Analyst) have analyzed Sinowal. Read the article under http://www.viennacomputerproducts.com/index.php?page=analysis-of-sinowal! I've published there also the source code of Sinowal.

And to answer the question of Pete Miller, Sinowal is restricted to Microsoft Windows XP due to it's Bootkit functionality. It won't work under Vista anymore because of its different boot files and mechanism.

greetings from Vienna (Austria), Peter Kleissner

Basic Concept is a fool to think that anything but Windows is immune to malware and hacks. We have found Unix rootkit over 10MB is size and so complex it took AVP one week to analyze. Thousands of Linux servers are hacked so their stored webapges can be infected with obsucred javascript one-liners to gift trojans to visitors who use Windows. Apple is a dumbed down piece of BSD Unix, so its even worse. Bank and industrial applications show a well-cared for Windows Server is equally safe and reliable compared to Un*x, you just have to hire well-paid top-notch people to maintain them day and night. There is no absolute security bey IBM mainframes and mil-spec systems, the chinese hackers crack any Un*x like a nut, in fact any von Neumann architecture computer, where data can become program code, is inherently at risk. The only reason malware is such commodity on Windows comes down to scale of economy. Apple having a fast-growing share in higher-end laptop business, we can expect Mac malware very soon, because it will be worth targetting that user population. Several AV vendors will return to market with an Apple virus scanner product in 2009, after almost a decade of hiatus.

We wish to pass no judgement on the merits of one OS vs. another. We believe it is most important to adopt and consistently follow good security practices and Internet habits as the best method of avoiding infection and compromise. Individuals and organizations who follow these best practices for security will always minimize their risk, regardless of the OS they presently use.

Published there also the source code of Sinowal. And to answer the question of Pete Miller, Sinowal is restricted to Microsoft Windows XP due to it's Bootkit functionality. It won't work under Vista anymore because of its different boot files and mechanism.