The RSA FraudAction Research Lab has published the results of its findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. The data collected during almost three years indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.

Dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

Sinowal infects victims’ computers without even an inkling of a trace. The criminals behind Sinowal have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years. In addition, the stolen data has been methodically organized within a well-organized repository. Sinowal uses an HTML injection feature that effectively injects new Web pages or information fields into the affected victim’s Internet browser – and these injections seem like legitimate pages to the victim. Just as an example, Sinowal can falsely prompt an unsuspecting victim for personal information such as a social security number and other details which their bank previously pledged to never request be provided online. Even though a prompt like this is not a novel approach to stealing credentials and other information – what struck us the most was the amount of URL “triggers” that cause Sinowal to actually launch this prompt and other functions: Sinowal is triggered by more than 2,700 specific URLs, which means that this Trojan quickly moves into action when users access the websites of what are now hundreds of financial institutions worldwide.

More details from RSA FraudAction Research Lab: http://www.rsa.com/blog/blog_entry.aspx?id=1378.

Kimmo Kasslin from F-Secure characterized this malware as a “Commercial-grade framework” and as a “Malware Operating system”. According to Mikko Hypponen (F-Secure), the research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. “Our fellow, Kimmo, worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation”, – says Mikko. – “The authors of Mebroot remain unknown at this time. However, it’s obvious they are well organized and well funded.”

Some details of Mebroot functionality:

• Mebroot is the most advanced and stealthiest malware seen so far
• It operates at the lowest level of the Windows operating system
• Mebroot writes its startup code to the first physical sector on the hard drive
• When an infected machine is started, Mebroot loads first and survives through the Windows boot
• Mebroot hides all changes made to the infected system
• It heavily uses undocumented features of Windows
• It creates a complex network communication system, involving pseudo random domain names
• Large parts of the code is highly obfuscated
• Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
• All botnet communication is encrypted with advanced encryption mechanism
• The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
• The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
• The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
• As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines

More details from Mikko: http://www.f-secure.com/weblog/archives/00001510.html.

Tags: malware, mebroot, sinowal, trojan