Unpleasant reading

Rik · Nov 01, 2008, 11:43:17

El Reg has a story on the Sinowal trojan.

QuoteA well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. It was unearthed by researchers at RSA's FraudAction Research Lab. They say the program, which is also known as Torpig and Mebroot, has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," RSA researchers wrote.

What's more, Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.

In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials.

Sinowal is impressive for other reasons as well. Unlike many trojans, it doesn't rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple's QuickTime media player.

"This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed," Sean Brady, manager of identity protection at RSA, said in an interview.

Simon · Nov 01, 2008, 11:54:40

It's worrying, isn't it? I'll be keeping a close eye on my bank account / credit card activity.

Tacitus · Nov 01, 2008, 12:05:51

Quote from: Simon on Nov 01, 2008, 11:54:40
It's worrying, isn't it? I'll be keeping a close eye on my bank account / credit card activity.

Will it only install via an admin level account? Since most people, probably unknowingly, run as admin it could be it requires no password for it to install.

Whether those who run as user would be relatively safe - or at least get a heads up by an admin password request - would be interesting to know. I do know there was a privilege escalation exploit for QTime a while ago.

One reason I never use file sharing sites......

Rik · Nov 01, 2008, 12:07:14

Me neither, Tac, I'm just not comfortable opening a machine of mine up to the world.

Simon · Nov 01, 2008, 12:31:15

It's a shame they can't tell us exactly which financial institutions may have been attacked, then at least we might have some idea as to which accounts to be more vigilant over.

Rik · Nov 01, 2008, 12:33:34

I just watch them all like a hawk these days, Simon.

Inactive · Nov 01, 2008, 12:34:37

Ditto, almost obsessively ...

Rik · Nov 01, 2008, 12:35:28

It's a pain doing the rounds each day, isn't it.

Inactive · Nov 01, 2008, 12:36:28

It is Rik, but peace of mind and all that.

Rik · Nov 01, 2008, 12:40:12

Indeed.

Sebby · Nov 01, 2008, 12:43:43

Another one to watch out for. Thanks, Rik.

Glenn · Nov 01, 2008, 13:09:24

It's a nasty blighter to get rid of too

Rik · Nov 01, 2008, 13:10:44

The voice of experience, Glenn? What lengths did you have to go to?

Glenn · Nov 01, 2008, 13:18:29

As far as I know, I have never had it. I was just reading through a few forums about it after you posted, here is one.

Rik · Nov 01, 2008, 15:27:29

Thanks for that.

Tacitus · Nov 01, 2008, 16:09:47

I think it's getting to the point where even a fairly ordinary domestic setup is going to require a UTM firewall with automatic AV updates done in real time. That's apart from any machine specific installation.

These things don't come cheap either. A Zywall 5UTM comes in at near £600 and that's by no means the most expensive.

Rik · Nov 01, 2008, 16:10:54

I agree, Tac, which is why I'm thinking that the time will come when we'll use dumb terminals and all the security will be handled at the ISP end.

Tacitus · Nov 01, 2008, 16:13:33

Quote from: Rik on Nov 01, 2008, 16:10:54
I agree, Tac, which is why I'm thinking that the time will come when we'll use dumb terminals and all the security will be handled at the ISP end.

Just like the good old days of mainframes and green screens.

Rik · Nov 01, 2008, 16:33:55

Indeed. They had a benefit.

esh · Nov 04, 2008, 12:33:00

Had a strange £5 transaction come up on one of our cards recently. It was obviously a phone top up thing, but from the other side of the country... suspicious, yes? Ironically, they wouldn't block the card until there had been three "suspicious transactions". Had to really push about it. Don't you think that's rather odd? Who knows where the details got leaked. Seems the UK is bit like a sieve for customer data protection.

Sebby · Nov 04, 2008, 13:00:57

Worrying, isn't it?

Inactive · Nov 04, 2008, 13:08:56

It certainly appears to be getting worse.