RealTime IT News

New Tools to Battle the Sinowal Trojan

For years, the Sinowal Trojan has stymied efforts by antivirus vendors and security experts to hunt it down. In the meantime, it has gone about its business of stealing credentials from about 500,000 bank accounts, according to security experts.

Antivirus vendor Authentium thinks it might have built a better mousetrap that will protect users against the Trojan, also known as Torpig and Mebroot.

The technique uses reverse sandboxing, chief technology officer Ray Dickenson told InternetNews.com.

Think of reverse sandboxing as doing the much same thing a white corpuscle does when the human body is invaded by a virus. It surrounds a virus and does not let it get out to attack the rest of the system. Unlike the white corpuscle, however, the reverse sandbox does not launch its own attack on the virus.

Essentially, Authentium's product, SafeCentral, uses reverse sandboxing to render the Sinowal Trojan blind and helpless, not letting it see or log keystrokes, track Web sites visited or access a user's files. It also provides a secure hidden domain name system (DNS) that is invisible to Sinowal.

"We don't trust anything about the local platform -- the TCP/IP settings, the DNS server configured there, or the DNS server of the ISP you're connected to," Dickenson said. "Those are the weak spots the bad guys can connect to."

SafeCentral installs a small security kernel into the user's operating system and this exerts policy controls over what applications the user's hard drive can see and do. "The Trojan doesn't have the opportunity to watch DNS lookups or browser navigate events when you look up banking sites," Dickenson said. Trojans that steal online banking data capture that data when users log on to their bank sites and send it to hackers' Web sites.

Security experts say SafeCentral's approach is viable. "It seems plausible that you could potentially isolate a process from doing things," Chris Wysopal, chief technology officer of application security analysis firm Veracode told InternetNews.com.

Sean Brady, manager of identity protection at RSA, whose FraudAction Research Laboratory is cracking down on Sinowal, applauded SafeCentral's defense against Sinowal. "Any solution that can prevent the infection of users' PCs with Sinowal is a great thing," he told InternetNews.com.