Sinowal Is A Serious Security Threat
By Dan Morrill
Article Date: 2008-11-03
RSA Security Blog has a fascinating digest of the Sinowal Trojan, and the idea that is has been in operation since 2006, compromising nearly 300,000 on line banking accounts.
There is always a fascination to malware, in many ways malware can be considered an element of cyberwar because it is one way that someone can penetrate a network leaving few if any traces behind. It is the lack of being able to detect crimeware that makes the Sinowal Trojan so interesting, besides the fact that it has a huge number of variants, but that it is so effective in doing what it is doing.
So, why is Sinowal one of the most serious threats to anyone with an Internet connection? Simply put, Sinowal infects victims' computers without even an inkling of a trace. The criminals behind Sinowal have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years. In addition, the stolen data has been methodically organized within a well-organized repository. Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan. Source: RSA Blog
What is interesting is the HTML injection feature that only kicks in when someone who has been compromised goes to a specific URL. There are some 2700 urls that the Trojan will tag on, and then capture the credentials of the user allowing someone else to access their bank accounts. Some AV systems will catch it, some will not as the number of variants has been part of the problem. The traditional size/hash value for some of the components keeps on changing, making AV vendors spend time playing catch-up with the Trojan makers.
Over all though this is an interesting case study in the malware, and while it has a cyber warfare possibility, it would not be unreasonable to assume that this is simply crimeware. But whenever you have a Trojan that can just sneak in without anyone noticing that is generally always going to be a bad thing. As the RSA blog states later on, it also collects simple login information, and there were a number of FTP sites that also had their credentials compromised.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.