October 31, 2008
Advanced Trojan Virus Compromises Bank Info
A virus described as "one of the most advanced pieces of crimeware ever created" was responsible for the theft of around 500,000 online bank accounts and credit and debit cards, the RSA said.
The RSA, which helps to secure networks in Fortune 500 companies, said the Sinowal Trojan virus has infected computers all over the planet.
The RSA's Fraud Action Research Lab first detected the Windows Sinowal trojan in Feb 2006.
Brady said more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.
The Sinowal has now been considered "one of the most serious threats to anyone with an Internet connection" because it works behind the scenes using a common infection method known as "drive-by downloads"
Websites that have been booby-trapped with the Sinowal malicious code can infect users without them even knowing it.
The worrying aspect about Sinowal, which is also known as Torpig and Mebroot, is that it has been operating for so long, Brady said.
"One of the key points of interest about this particular trojan is that it has existed for two and a half years quietly collecting information," he said. "Any IT professional will tell you it costs a lot to maintain and to store the information it is gathering.
"The group behind it has made sure to invest in the infrastructure no doubt because the return and the potential return is so great."
The virus's creators periodically release new variants to ensure it stays ahead of detection and maintain its uninterrupted grip on infected computers, RSA researchers said.
The RSA's lab has been tracking the trojan since 2006. Brady admitted that they know a lot about its design and infrastructure but little about who is behind Sinowal.
"There is a lot of talk about where it comes from and anecdotal evidence points to Russia and Eastern Europe. Historically there have been connections with an online gang connected to the Russian Business Network but in reality no one knows for sure."
The RSA said the group is able to use the web to cloak its identity.
Google discovered hundreds of thousands of web pages that initiated drive-by downloads in April 2007. It estimated that one in ten of the 4.5 million pages it analyzed were suspect.
This year, Sophos researchers reported it was finding more than 6,000 newly infected web pages every day, or about one every 14 seconds. RSA's fraud action team said it noticed a spike in attacks from March through to September this year.
Another online security company called Fortinet backed the report. It said from July 2008 to September 2008 the number of reported attacks rose from 10m to 30m"”including trojans, viruses, malware, phishing and mass mailings.
Derek Manky of Fortinet said the explosion in the number of attacks is alarming. "But trojans are just one of the players in the game wreaking havoc in cyberspace."
He said there are some simple steps that users can take to protect their information besides using security software.
"We have a saying here which is 'think before you link,'" said Manky.
"That just means observe where you are going on the web. Be wary of clicking on anything in a high traffic site like social networks.
"A lot of traffic in the eyes of cyber criminals means these sites are a target because to these people more traffic means more money," he said.
Users are also urged to take notice if their bank started asking for different forms of authentication such as a social security number or other details.
"People think not clicking on a pop up or an attachment means they are safe. What people don't realize now is that just visiting a website is good enough to infect them."
The RSA is currently co-operating with banks and financial institutions around the world over Sinowal threats. Information about the virus has been passed to law enforcement agencies.