Security: Sinowal has infected hundreds of thousands of PCs worldwide (1/1/2011)

A sophisticated cybercrime group that has maintained an especially devious Trojan horse for nearly three years has stolen login credentials of close to 500,000 online bank accounts and almost as many credit cards during that time, according to reports released today by RSA FraudAction Research Lab. The spyware is called Sinowal Trojan, also known as Torpig and Mebroot.

Sinowal has infected hundreds of thousands of PCs worldwide during its run, and it continues to attack machines. Once on a system, the MalWare waits for the user to enter the address to an online bank, credit card company site or another financial URL, then substitutes a fake in place of the real thing. It's triggered by more than 2,700 specific Web addresses, a massive number compared with other Trojan horses. The fake sites collect log-on usernames and passwords to banks and other financial institutions and dupe users into disclosing information those organizations never collect online, such as Social Security numbers. The Trojan then transmits the stolen credentials and data to the drop server. "This is one of the more sophisticated pieces of MalWare out there,\" said Brady. One reason Sinowal has been so successful is that is rarely detected by antivirus software.

"They struggle to find this one,\" Brady said. That's not surprising. The Trojan horse includes rootkit elements that infect the PC's master boot record (MBR), the first sector of a hard drive. Because the hardware looks to that sector before loading anything else, Windows included, the Sinowal is nearly invisible to security software. Security vendors have complained for months about how tough the MalWare is to spot. RSA Security suspects that the group responsible for Sinowal is based in Russia. \"The distribution was truly global, but the one statistical anomaly that we noticed was [that] Russia was the one region that had no infections.\" Cybercrooks will often forgo infecting machines in their own country in the hope that local law enforcement authorities will not come calling or that if they do find out about the attacks, they'll put any action low on their priority list.

How the Sinowal loader works Trojan-PSW:W32/Sinowal.CP drops and loads a password stealing component on the infected system and tries to steal account information from it. It also tries to steal information that is required to access certain online banks' and online payment systems' websites. Sinowal uses the normal methods to gain access to the computer being attacked. Initially most infections were via e-mail links, but it now appears that drive-by droppers, such as NeoSploit on malicious Web sites, are the attack vector of choice. Interestingly, Sinowal is selective about geographical location and incorporates an IP versus location application to focus on specific areas, and guess what, Germany is one such area. It’s starting to make sense now. The way Sinowal gains a foothold on the computer is nothing short of ingenious and most likely why it’s been able to survive for so long. After the initial infection, the loader remains dormant for a certain length of time. I’ve heard that it’s around six minutes, and the sole purpose of this is to fake out MalWare scanners. The scanners typically try the executable in a sandbox and see what happens. Since Sinowal doesn’t do anything, the scanner is fooled. Sinowal is also considered a Bootkit, meaning it overwrites the master boot record (MBR), allowing it to bypass Windows system functions.

The following installation steps are the results of researchers reverse engineering one variant of Sinowal: First Sinowal reads the MBR and copies the partition table. Sinowal has its own MBR and incorporates the copied partition table into it. Now the sneaky part, Sinowal appends the original MBR into the last sector of the new MBR it created. Sinowal then writes the newly created MBR to disk. Next Sinowal waits. Like all MBR rootkits, the loader was able to alter only the MBR, and a reboot is required to start Sinowal’s payload boot sequence. The payload boot sequence is an intense process. If you’re interested, the details are expertly explained by Peter Kleissner in his white paper “Analysis of Sinowal.” The reason for the complexity is that ultimately Sinowal will have full control over Window’s boot sequence on the infected computer.

How To Remove The Virus (don't try this at home boys & girls): The following instructions pertain to all current and recent antivirus products. Disable System Restore (Windows Me/XP). Update the virus definitions. Run a full system scan. Delete any values added to the registry. For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to disable or enable Windows Me System Restore How to turn off or turn on Windows XP System Restore Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents. For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions: Obtain the latest virus definitions from your antivirus vendor.

3. To run a full system scan Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files. For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files. Run a full system scan. If any files are detected, follow the instructions displayed by your antivirus program. Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode.

4. Once you have restarted in Safe mode, run the scan again. After the files are deleted, restart the computer in Normal mode and proceed with the next section. Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following: Title: [FILE PATH] Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

5. To delete the value from the registry (really dangerous stuff) Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry. Click Start > Run. Type regedit Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. Navigate to and delete the following registry entries:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"userinit\" = \"%System%\\ntos.exe\" HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"userinit\" = \"%System%\\ntos.exe\" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Network\\\"UID\" = \"[COMPUTER NAME]_[UNIQUE ID]\" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\"WinCode\" = \"[ENCRYPTION KEY]\" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\"Win32\" = \"[MAIL FLAG VALUE]\" Restore the following registry entry to its previous value: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\"Userinit\" = \"%System%\\userinit.exe, %System%\\ntos.exe\" Exit the Registry Editor