RSA Cracks Down on Legendary Sinowal Trojan

The RSA FraudAction Research Laboratory is putting the pressure on the notorious Sinowal Trojan .

According to the laboratory, this Trojan, which it says is also known as Torpig and Mebroot, has stolen and compromised login credentials from about 500,000 online bank accounts and credit and debit cards over the course of nearly three years. It has also stolen and compromised other information such as e-mail and FTP accounts from many Websites, RSA claimed.

Now, the laboratory is upping its efforts now that it knows more about Sinowal’s source. The company shared its analysis today that suggests Sinowal had strong ties to the infamous Russian Business Network cybercriminal gang, but is no longer connected. The Russian Business Network, a major perpetrator of phishing attacks, is believed to have resurfaced in China after going underground for awhile.

Meanwhile, Sinowal’s longevity has researchers paying attention. “The average Trojan drop site has a lifecycle of a few days or weeks, but this has been collecting credentials all the way back to 2006, which makes it ancient,” Sean Brady, RSA’s manager of identity protection, told

The Trojan’s developers are highly professional, Brady said. They are building a redundant infrastructure and mirroring data across many sites to ensure high availability. “Its developers bring a perspective to it that correlates with how any business manages its IT infrastructure,” Brady said.

Security vendors and practitioners have known about Sinowal for a long time, but have not been able to do much to stop it, Brady said.

About Sinowal’s longevity

The Trojan is technologically very advanced, Brady said. It installs itself on a computer’s master boot record so it is very hard to find on the hard drive and to get rid of, Brady said.

Sinowal is also difficult to detect in action. It is polymorphic, meaning that it does not have a strict signature that antivirus companies can readily latch on to.

Growing like Topsy

One of the most startling features of Sinowal is that it has 2,700 URL triggers built into it, Brady said. That gives it a wide scope of attack, and the Trojan has stolen or compromised data of customers of hundreds of financial regions everywhere in the world except Russia, the laboratory said.

Also, Sinowal has been evolving at a dramatic pace, and the laboratory said its rate of attacks spiked upwards from March through September. During that period, it compromised and stole login credentials and other information from more than 100,000 online bank accounts, the laboratory said.

The Trojan’s creators periodically release new variants and register thousands of Internet domains so it can maintain its grip on computers it has infected, the laboratory said. When one domain is closed down, it shunts to another.

Like other Trojans, Sinowal uses an HTML injection feature that injects new Web pages or information fields into the affected victim’s browser. These injections seem like legitimate pages to the victim, but capture the victim’s data and send that back to the fraudster’s Web site, Brady said.

RSA has notified U.S. federal law enforcement agencies and notified those affected by Sinowal.

Education is the best defense against Trojans, Brady said. “You can shut down infection points, but that’s like playing Whack-a-Mole,” he said. “The most important thing is to educate consumers as to the dangers of going to sites they are not supposed to, and of clicking on links in spam e-mails they receive.”

News Around the Web