back to article Undetectable data-stealing trojan nabs 500,000 virtual wallets

A well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns. The haul of bank, credit, and debit card account numbers stolen by the Sinowal …

COMMENTS

This topic is closed for new posts.
  1. Pierre
    Thumb Down

    Ties to Russia?

    Because it has no target there?

    Does it have any target in the Vatican? If not, methink the Pope did it.

  2. Anonymous Coward
    Anonymous Coward

    Ties to Russia?

    I just think there are no many financial institutions in Russia which can be targeted with this trojan. Russia is really inert country in this way.

  3. Matt Aldred
    Thumb Down

    Ties to Russia?

    Absolutely, having lived in Russia I found that the few banks that do offer online banking, only allow extremely limited transactions to be carried out online. The account I had allowed me to check my balance and move money between my own accounts in the same bank (which still took 2 business days). Not much use to criminals.

  4. J
    Linux

    Say what you will...

    I can rest assured I'm still unaffected.

  5. Rick Dickinson
    IT Angle

    So, let me get this straight

    So, let me get this straight: the only way to clear up a Master Boot Record (MBR) infection is to reformat the disk & reinstall the OS?

    Whatever happened to fdisk /mbr ?

    Where's the IT expertise?

  6. Anonymous Coward
    Paris Hilton

    Really?

    If this is the worst thing since sliced bread and has been going on since 2006, what do the AV companies say;

    Symantec - No hits, only 1 on a name variant

    Sophos - Rated low to medium

    Panda - Rated 1 (out of 5) for low risk.

    OneCare - Medium.

    However, RSA and F-Secure who were running a conference which included a report about it say talk about the "advanced and stealthiest malware seen so far" for one of the variant. That is the same variant that Symantec list as "Risk Low". I'm not saying there is no risk, but a little investigation would be a nice idea for el reg.

    Paris, cos errr, I like the picture.

  7. Steven Knox
    Stop

    Bollocks!

    "It then hides itself on a computer's master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system."

    Any PC manufactured within the past 10 years has MBR protection built into the BIOS, and good antivirus software has had MBR protection for at least 15.

    Also, a quick check of the major AV vendors' sites indicates they are all aware of this trojan and can detect and remove it.

    Finally, you can easily find (and fix) an MBR infection by simply booting off any disk other than the standard one and running the tool of your choice. Reformatting a partition does NOTHING to the MBR. The jackass who told you to reformat is simply giving IT pros a VERY bad name.

  8. Les Matthew

    Re: Bollocks!

    Won't "fdisk /mbr" fix it?

  9. Maf Norton
    Stop

    Ill informed

    Has the author cut and pasted this from a random spam e-mail?

    Terrible cut and paste reporting, old story with nothing to back it up.

  10. Joseph Helenihi
    Joke

    Re: Bollocks!

    "It then hides itself on a computer's master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system."

    "extremely difficult to find."

    Yes, if you simply stare at the monitor and murmur hmmmm, and don't dare touch the keyboard or mouse.

  11. ender

    MBR?

    I'm really interested in how exactly the trojan hides itself in the MBR - after all, there's only 446 usable bytes there, and the MBR is executed in real mode (and has to start the bootloader), while the OS runs in protected mode.

  12. Anonymous from Mars

    Undetectable? Of course!

    The article says that the malware is undetectable to its victims, which makes sense, considering that the victims of said malware are going to be people with unpatched machines running with no AV software.

    I could imagine a story like this being run on the nightly news programs, but I certainly hope El Reg's readership at least takes basic security steps.

  13. Destroy All Monsters Silver badge
    Dead Vulture

    D'oh!

    I agree with the MBR remarks. That would be the oldest trick in the book (fond memories of "Something wonderful has happened. Your AMIGA is alive" appearing on the screen...).

    Additionally, the "Big Brother Piercing Eyes" image should _not_ go with articles about mob-spawned surveillance evil, but exclusively with those about gummint-spawned surveillance evil, which is generally greater, although elected representatives and Reinhard Heydrich would of course disagree.

  14. Andrew Moore

    Sheesh...

    An undetectable master boot virus- pull the other one.

    I smell bullshit.

  15. Tony Smith

    @Rick Dickinson

    Whatever happened to fdisk /mbr ?

    It's an undocumented command, like most of Microsofts APIs.

  16. Jonathan McColl

    Fdisk /mbr

    My memory of learning MCDST stuff suggested the Recovery Console, cos fdisk /mbr was useful for older Windowses, but not XP--oh look, googling it got that sort of answer too. I love this modern stuff from the early 21st century.

    And I agree with the Monster Destroyer remark about Big Brother: you brought him in to illustrate government things like ID and national databases, not for Mysterious Russian Ties

  17. Anonymous Coward
    Black Helicopters

    Rooting for beginners

    IT Support: What's your problem?

    Mr Twitter: I have found something belonging to the Federalnaya Sluzhba Bezopasnosti Rossiyskoy Federaciyi in my MBR.

    IT Support: You're wrong pal. The MBR is owned by the NSA.

  18. Anonymous Coward
    Anonymous Coward

    (in)security by obscurity

    > Any PC manufactured within the past 10 years has MBR protection built into the BIOS, and

    > good antivirus software has had MBR protection for at least 15.

    And another good check will tell you that most PCs do not have MBR protection built in since the last 5 years (I've never seen this option in motherboards I bought since 2003, particularly high-end ones), and a handful of antiviruses nowadays do not scan the MBR anymore.

    That's nice, virus-scanner companies. Forget MBR. And then it comes back to bite you.

  19. David Wilkinson
    Thumb Down

    Bad headline I assumed it means undetectable by AV

    I though it was going to be some super stealth virus able to hide from most AV software.

    Instead its undetectable only if you run your machine without AV or updates you will get infected without user interaction and without visible symptoms.

  20. blackworx
    Dead Vulture

    Quick!

    Get the bullshit repellent before we're all smothered!

    Need to find a pair of golf shoes... Impossible to get a footing in this muck.

  21. Sceptical Bastard

    MBR-only trojan?

    I remember the /MBR switch to FDISK from WinNT4 days but is it still there in the '5' variants? Even if it is, as far as I remember it only rewrote the actual master boot record which is under 500b - must be a pretty tightly-coded trojan.

    Er, what am I missing here?

  22. TimM

    MBR again

    For what it's worth, Avast! and I believe AVG do MBR scanning. I'd be surprised if any of the top names don't.

    As for the MBR method. From what I can tell, the code in the MBR is essentially a bootstrap for the more sophisticated code stored elsewhere. Whilst the MBR code may not be easily detectable, the code it launches should be.

    However, Sinowal has been know about for a long time and the fuss over the MBR/rootkit variant dates back to at least January this year and long since had antivirus definitions covering it. That said, Avast! have released a new one today for another Sinowal variant.

    Also has to be said that a very simple protection from this is to run with non-admin rights (or use Vista with UAC enabled), as to modify the MBR it needs admin rights.

    Sadly, running without admin rights in Windows is still an annoyance.

  23. James O'Shea
    Jobs Halo

    hmmm

    MBR? Wot's a MBR? Some of us don't use machines which have any such thing... <http://en.wikipedia.org/wiki/GUID_Partition_Table>.

  24. Anonymous Coward
    Paris Hilton

    @james o'shea

    Seems like you're not only smug, wrong and smell faintly of wee, you also don't follow your own links:

    "Current PC BIOS schemes use a Master Boot Record (MBR) to begin the process of initializing the disk. The MBR begins with an entry called the Master Boot Code, which contains an executable binary for the purpose of identifying and booting the active partition. EFI instead contains this capability itself, but to maintain backwards compatibility, GPT retains the MBR entry as the first sector on the disk followed by a Primary Partition Table Header, the actual beginning of GPT."

    Paris, 'cos.

  25. Sceptical Bastard

    @TimM

    Quote: "Sadly, running without admin rights in Windows is still an annoyance"

    Is it? If so, the annoyance is far outweighed by the additional protection IMO.

    I cannot speak for Vista UAC (not enough experience yet) but with NT4/5 systems (NT, W2K, XP et al), I've always logged on as a restricted user and only used Administrator for specific tasks (and then usually via 'Run As...' ). If I'm logged on as an admin for any reason, internet-exposed apps run under DropMyRights.

    Same with Linux machines: I only log on as root if I have a specific task that cannot be achieved as a user.

    IMO, one of the great weaknesses of Windows is that by default it installs as a one-user system with full admin privileges - that's why most home users run as admins.

    I'm a Linux fanboy but I happily concede that Win NT derivatives are reasonably secure if set up specifically as hardened systems - that includes keeping the OS fully patched, operating it with reduced user privileges, shutting down any unnecessary services and their associated ports, using only carefully-selected internet-facing applications, and only connecting to the network through a properly-configured and effective firewall.

    Bunging XP out-of-the-box on a machine then running it unpatched as an Administrator to make payments on the web via a 'DSL modem' and IE is just asking for trouble.

  26. Bruce Ordway

    Symantec doesn't seem too worried about this one.

    Threat Assessment - Wild

    * Wild Level: Low

    * Number of Infections: 0 - 49

    * Number of Sites: 0 - 2

    * Geographical Distribution: Low

    * Threat Containment: Easy

    * Removal: Easy

  27. James O'Shea
    Jobs Halo

    Poor old AC

    M'man, while it's true that GUID use MBR stuff, Macs don't care. MBR-based attacks simply don't work there, if only because the executable payloads won't run on Macs... unless they boot into Windows. And, due to the way Boot Camp executes, MBR-based attacks won't work even then. If Apple used an MBR-based system then they would. Apple used GUID for several reasons.

    And, yes, I'm smug. With reason. I haven't had a malware attack, of any kind other than phishing, which would actually work on any Mac in my care since 1998... and that one didn't get far. The last one before that was around 1992... and that one didn't get far, either. (I have had Windows malware try to install itself on Macs... and very funny it was to watch it try, too.)

    I haven't even bothered installing antivirus on any Mac since OS X arrived, with the sole exceptions of machines which have to be connected to networks where management has decreed that all computers have antivirus; those machines have AV installed and running because management says so and only because management says so.

    If someone comes up with a real threat then I'll be concerned. 'Til then, well, AV stuff simply is of no concern to me. Even phishing attempts, the only malware which can get on my machine, are mostly of amusement value only 'cause the phishermen have no idea what usernames I use for my various phishable accounts. (Hint: I use one specific email account for all my phishable accounts, so mail sent to any other account is instantly identified as phishbait...)

  28. The Reg-ular
    Gates Horns

    Older than that

    "Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006."

    Actually, the first Torpig attacks were launched in late 2005. That was before the MBR infection functionality was added (the versions known as Mebroot) at the turn of 2008, based on the BootRoot research project at eEye way back in 2005.

    Given what's been learned from other long-lived crimeware operations, like Coreflood, and about the capabilities of the Torpig attackers, I would be surprised that only half a million accounts have been compromised thus far.

    The encoded format of the stolen data sent to the attacker's (yes, mostly Russian) web sites remains essentially unchanged. This tool will decode logs of Torpig/Anserin/Sinowal/Mebroot network activity, so incident responders can tell what exactly the bad guys were able to get a hold of (assuming the activity is logged and retained):

    http://www.secureworks.com/research/tools/untorpig/

    Quoting Elia Florio at Symantec:

    "The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska. The attack is called the 'Pagefile Attack'."

    ... so Evil Bill it is.

  29. The Reg-ular

    @MBR-only trojan?

    Good eye! The entire trojan does not fit in the MBR, What the old school VXers call the dropper -- the .EXE (or more likely then, .COM file; remeber those?) that placed the data on the disk -- placed a small snippet of code in the MBR to load the rootkit/bootkit code stored on sectors at the END of the disk. The r/bootkit code can also hide OS-hosted components that can still update and reinstall the code in the MBR and unallocated sectors, so no, FDISK /MBR may not disable the Trojan completely, but it makes it more likely that detection might work on subsequent reboots, at least until the pre-OS code is reinstalled.

  30. john

    It's the Geography stupid

    "While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia"

    All you smart techy guys and not one of you notices there are only 3 countries in North America. So "targets institutions in dozens of countries in North America,..." should cue you. This was all a BIG JOKE. Lam3r5

  31. Henry Cobb
    Dead Vulture

    @Sceptical Bastard

    So it is harder to use windows safely than linux safely?

    Can we trick Balmer (no icon yet?) into funding a TCO study on this?

    But the real problem remains that el Reg lacks a "Press Releases" tab to file this kind of stuff into Write Only Memory.

  32. Zmodem

    sub7

    you can target anywhere with any trojan. even sub7. all you have to do is compress parts of the exe file. with a compressor thats not upx

  33. Anonymous Coward
    Thumb Up

    AV companies...

    @Bob Mallett

    ... did write about it, try: http://www.viruslist.com/en/find?search_mode=full&words=Sinowal

  34. Mathew Coomber
    Stop

    It's true

    I know, it's hard to believe but everything they say about this virus is true, undetectable, stealthy and according to Microsoft and Symantec as well as other reliable sources, not only will this steal all your bank details, it will also automatically buy a life times supply of Viagra, send a small deposit to a Nigerian lottery so you can collect your jackpot, it sends the required sum to the State Bank of Iraq so Mr Hussein's vast wealth (which he left without a will) can be deposited into your bank account, allowing you to keep 50% of this sum for your troubles and it is responsible for the current financial crisis facing so many countries....

  35. N

    FUD?

    Seems high on the FUD here as all the major AVs dont rate it that much of a threat...

    this lot think otherwise

    http://www.threatexpert.com/report.aspx?uid=3ea445f3-2f4f-48f1-8e60-9693dcb8d764

    But I did get an email saying my computer was infected with a new and dangerous virus spreading rapidly and not detected by Sophos, McAfee or Symantec, it was sent from Bill Gates & I had to re-format my hard disc then pass it on to everyone I knew? difficult but I tried my best & now life is beautiful...

    On my Mac.

  36. g00p
    IT Angle

    Teehee!

    I hid in the MBR for 3 whole minutes before the other kids counted to 100 and found me.

  37. J
    Coat

    @john "It's the Geography stupid"

    "institutions in dozens of countries in North America, Europe and Asia"

    Erm... did you forget the joke icon or are you just a dumb ass?

    Damn, I just fed a troll; there goes a kitty...

  38. TimM

    @Sceptical Bastard

    Problem is (with XP at least), whilst I can (and have done in the past) run with separate administrator and user accounts, switching between the two, even with "fast user switching", is a slow and painful process. "Run as" is great, until you find that an application you're installing wants to add things to the start menu and/or desktop, and it goes and adds them to the administrator's profile, not yours, so you have to log in fully as administrator to copy the shortcuts to your profile or the all-users profile. Similarly Samba shares in particular become a pain as they authenticate across the network as administrator, which is not a good thing at all, rather than the local user. All just because one part of an app requires administrator access.

    And then I found there were just so many applications that needed administrator rights, that "run as" was getting a pain. A few wouldn't work at all without logging in fully as administrator. More so if you're doing any development work.

    Oh, and worse, if you're on a domain, "fast user switching" is not available.

    Not impossible, but it makes life hard. Much harder than it is in unix land.

    However the other approach of making Internet enabled apps run as underprivileged users is workable. For most people that's only going to be a handful of apps. Backed up with a firewall that blocks all outbound traffic until authorised, on top of robust inbound firewalls, plus a hardware NAT router firewall on top, and it's very hard for anything to sneak in. Essentially the restriction of rights needs to be applied to Internet apps mainly.

This topic is closed for new posts.

Other stories you might like