1 Trojan + 3 years = 500,000 online financial accounts

RSA FraudAction Research Lab has discovered log-in information for about 300,000 online bank accounts and 250,000 credit and debit card accounts that have been gathered by a cybercrime gang over the past three years using the Sinowal Trojan.

"This may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," according to a blog entry posted Friday from RSA, EMC's security unit.

The Sinowal Trojan infects computers without the owner knowing it by surrepticiously planting itself onto the computer while the owner is Web surfing in an attack dubbed a "drive-by download."

The malicious code is typically hidden on an unfamiliar Web site, often related to porn or gambling, but can also be found lurking on legitimate Web sites, says Sean Brady, manager of identity protection at RSA.

The Trojan is programmed to execute when the victim visits a particular banking or financial Web site; it is triggered by more than 2,700 specific URLs, according to RSA. The malware then inserts additional fields into the victim's browser prompting the victim to type in information such as PIN and Social Security number, which the Web site itself does not ask for.

This chart shows the rate at which the Sinowal Trojan has been compromising online bank accounts since early 2006.

(Credit: RSA)

The account information has been stolen since at least February 2006, uninterrupted, and includes e-mail and FTP accounts, according to RSA.

The company has alerted law enforcement and has provided the compromised account information to the financial institutions involved, Sean Brady, manager of identity protection at RSA, said in an interview on Thursday.

"This could be a wake up call for institutions and end users who have ignored the fact that Trojans are out there," he said.

The Sinowal Trojan has had ties to the identity theft organization known as Russian Business Network, but the hosting facilities of the malware appear to no longer be connected to that group, according to RSA.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," the blog post says. "And in addition to its longevity, Sinowal has also been evolving at a dramatic pace - its rate of attacks spiked upwards from March through September of this year."

[JimDibb]

So, how do you know if you have it?

[skswave]

To eliminate the risk to Trojans all that needs to be done is to have the banks enable support for the Trusted Platform Module. TPMs have been shipped on over 275 million PCs and the volume is still increasing. This technology would allow for a secure bonding between that PC and the bank that is based on highly reliable technology. The PC industry has provided the cabaility but it is now time for the Financial services industry to join the parade. Once a PC is bonded to the service provider ,the consumer will have a secure channel to conduct business. The secure authentication is based on secret keys held in hardware that are specifically created for that individual account. The user gets a better experieince and the bank has a high level of assurance that the user is who they say they are. It is impossible for a trojan to Steal the secret keys held in the TPM as the hardware would have to be compromised wich is not possible with software. Ask your financial institution when they will begin supporting the TPM and ask your employer as well. There is no reason to continue to rely on Username and Password. With over 140 companies supporting the TPM as an insdustry standard hardware component, it is a great vendor neutral Standards based solution to security.

Steven Sprague
Wave Systems Corp.

[Vegaman_Dan]

TPM's are an interesting idea, but hardly the solution. They already have forked in versions which are not backwards compatible. If you have your account locked to one TPM, then you cannot access it with another computer. If you ever have your system board changed, you lose access as well as the TPM is part of that system board. Even doing things like updating the BIOS can wreak havoc.

It's a nice idea, but the real world practicality just isn't there yet.

[Hunnter2k3]

This is simply delusional.
There is no such thing as a 100% secure system.

If a trojan gets onto a computer, it is capable of getting any information from any device wired to it.

The only way to prevent something like this would be a embedded OS that takes control over the OS below whenever something tries to access the TPM hardware, and whether to allow or disallow.
No chance in that happening any time soon.

[Imalittleteapot]

Wait, like so how does that work exactly? Like, if my computer breaks and then I get a new one it's a different TPM, but I can't log into the website with my old TPM to switch over to the new TPM because my old TPM is broken and I can't authenticate. How do I log in at work and my mom's house if the bank only trusts my TPM? What about my laptop? How do I get my gigantic desktop PC in that little slot in the ATM machine? What if I don't even have a computer but just want to check my balance at a friend's house?

Anyway, the way this trojan works, I don't think it'll help. With a slight mod it could just serve up another page that looks almost like your bank's website and just do a standard phishing attack. Even though your bank may not normally ask for account information or pin number the fake site may anyway. Many people will still fall for it. Just like when your ISP says we will never ask for your password, but as soon as people get a fake email asking for it they reply back with their password. It's just stupid human nature.

Now it's another form a security. Yes it would stop some attacks, but people will never use it because people will lose the ability to log in from any machine. Is it dumb for them to be logging into their bank account from just any old machine? You betcha! Will stupid people complain anyway if they can't do that? You betcha! If people lose convenience they will not use it. The best we could probably ever do is use smartcards that plug into the computers USB port to auth websites and a USB port on ATM machines and cash registers. It's different, but it's similar enough to what people already do. They could be authenticating with public/private key technology where the private key never has to leave their handheld device.

Now, maybe I just don't get TPM, but that's the problem. Apparently TPM isn't very intuitive either let alone it's other flaws. Like when it started out as another failed DRM technology to restrict what I can and can't do with my own machine. Not so I could trust it, but so big companies could trust my machine to take orders from them instead of me in case I'm pirating their stuff. I really don't want anything to do with that even if it's simply because of how it got started in the first place.

[Imalittleteapot]

Oh and one more thing, even if we all had and used smart card devices instead of credit cards and username/password, even though I might trust that technology, I still wouldn't use it on a machine I knew had a trojan because once it's compromised it's compromised. You can no longer trust anything that machine tells you.

[42istheanswer]

Wow, this is just stunning. I don't know whether to laugh till I choke or weep rivers of tears.

[Lazlo666]

and when do we get to know who has been comprised? not a fun thing to contemplate.

[Mike Acker]

Wolfgang Stiller offered the answer to your question, years ago, on the DOS platform. His product was called Integrity Master.

a simple concept actually, it just made an inventory of the programs on your computer together with a 32-bit CRC (digital signature ) for each program. That way you could check to find if you had anything new, anything missing, anything changed.

hunting through your computer's terabyte hard drive for something you have no description of doesn't work. the days of anything goes cowboy programming have go to come to an end.

authorized programming only must becopme the order of the day.

[Imalittleteapot]

Mike Acker:

Are you suggesting only certain people should be allowed to program? What is authorized programming? What is I've never heard of such a thing.

If only certain people could program you can say goodbye to Linux(which is more secure than Windows, yet programmed by anyone that wants to contribute), Opera, Firefox, Open Office, MySpace, Facebook, the GIMP, Chrome, YouTube, InkScape, Pidgin, Trillian, and maybe even Photoshop, Adobe, or Google and the list never ends. I mean who's to say what won't be authorized? Sure, they're all big names now, but when they were starting out would they have been given permission? Will their next upgrade be authorized?

To do what you suggest you'd have to shut down every blog, message board, MySpace+Facebook profile and social app, and any site that has user generated content because people communicate more with HTML and JavaScript then they do English now. Even changing your MySpace profile requires you to enter codes. Also, look at the game consoles that have been hacked to run Linux. Not only is what you suggest not going to work, it's not even possible.

[gabeheim]

If writing programs were outlawed, then only outlaws would write programs.

Yeah, let's also outlaw unauthorized speech while we are at it, that might eliminate con artists that use old fashioned real life social engineering.

[Smurfman]

Is Apple's Mac OS X operating system susceptible to this trojan?

[mouserider]

Any operating system can be susceptible to a "trojan" type attack. If you remember the tail of the Trojan Horse, it was not the gates or the fortified defenses that caused the failure, it was instead the humans within that willingly brought the Horse in.

The only thing right now that is working on the Mac's favor is that these criminal rings are trying to cast the widest net with the least work, so expect to see trojans on the Mac as Apple's market share increases.

In a sense, the question should be "Am I susceptible to a trojan" and with the criminal rings getting more apt at social engineering, we may all need an "malware profile" update!

[mouserider]

Sorry for mis-spelling "tale".

[Smurfman]

mouserider:

So, in short, OS X is NOT and HAS NOT been susceptible to this trojan, but very well COULD be susceptible if the programmers modify this trojan to affect OS X. As far as we know, the criminals have not done so, correct? As far as we know, this trojan does not exist in any form that affects OS X.

[Seaspray0]

@Smurfman. Are you willing to bet your bank account information based on one person's (mouserider's) response on whether it has or has not already been modified to attack osx? Unless he was one of the criminals, he'd have no direct knowledge on that answer. I would recommend you use antivirus software which is much better than nothing protecting your computer.

[protagonistic]

This appears to be a Windows only Trojan. But that is not to say you should not learn how to protect your system running OS X. There are any number of good books out there that will tell you how to lock down a UNIX based system.

I Ran Windows for many years before switching to a Mac five years ago so I carried my paranoia over the OS X. I run a very good firewall, use a router and also run ClamAV for OS X. That latter is more to make sure that I do not pass anything along to my Windows using friends, but it may become a necessary component for OS X as well in the future.

Just remember, there is no such thing as a completely secure OS. Any idiot will find a way around even the best defenses. :-)

[mouserider]

As far as I am aware, none of the currently known and cataloged variants of THIS particular trojan work on a Mac.

Sinowal Trojan works by inserting itself as a service in Windows and comes in the form of a DLL. So it is OS and binary specific and won't run on a Mac.

It will, however, infect a Windows virtual machine, such as Parallels or VMWare Fusion, running on an Intel Mac and Mac users can be inadvertently spreading the email-vectored version of this trojan if they forward an infected message or page to someone.

[mouserider]

Seaspray0 is absolutely right. To draw another parallel, saying that there isn't one that works on the Mac or that there won't be one, is like the people who said that the Titanic won't sink.

We should always be diligent but however, on the flip side, there is a fine line between diligence and paranoia.

Anyone can find the biggest security risk, just look in the mirror.

[The_Decider]

"I would recommend you use antivirus software which is much better than nothing protecting your computer."

LOL

The architecture of OSX protect you far more than AV software. That is why OSX doesn't require AV at this time. At some point, someone might get around the architecture, which will require AV software at that point. But 8 years of not needing it and counting...

AV software is always behind the curve so it will not come close to 100% accuracy. All AV software is rife with false-postives and false-negatives(the virus known as Symantec AV is "good" at this).

***If you need to question why I called Symantec a virus you don't know enough about the topic to comment. You can disagree with it, but you need to know why it is categorized as such.

[Penguinisto]

@Smurfman: No. There are no known variants of this trojan that affect OSX.

@Seaspray0: A/V solutions are reactive - not proactive, which means it won't help you if you were compromised before your A/V signature or heuristics had been updated. By then it'd be too late.

The inherent security of OSX makes it highly unlikely (not bulletproof, just extremely unlikely) that you would have to bother with this article if you use a Mac and OSX to do your banking.

Now, if you use Windows, you really should check, and may well have cause to panic (esp. if you have more than one user on your machine/s ).

/P

/P

[mouserider]

I have to comment on the the RSA's spokesperson's choice of falling into using the typical unqualified quote of "often related to porn or gambling," although I do applaud him for continuing to say "but can also be found lurking on legitimate Web sites" though it does seem to imply that "porn or gambling" sites aren't legitimate for some reason.

There are plenty of porn and gambling Web sites that are operated by legitimate, publicly listed corporations and plenty of "legitimate" Web sites that aren't.

Statements like this do not help the real world users out there that might think that just because they don't visit porn or gambling sites that they are safe from trojans or other forms of malware.

They also often fail to inform users that these criminal groups can and have inserted malicious code into "legitimate" Web sites without their owners knowing it. Just like how a computer can be compromised by malware or virus, Web sites, in a manner of speaking, can be infected and used as a vector.

Any site could be used to transmit malware.

[mpitogo]

My question for the author. Is there a way to know what platform this trojan affects? Or does it unilaterally affect all platforms running a browser?

[greasyfitting]

This type of attack could never happen on Mac OS. Installing any program, trojan or otherwise would require permission by the user via password. Mac OS will download these things, but won't install without permission. You also receive a warning when any downloaded and installed program runs for the first time. The warning indicates that the program was downloaded and may be hazardous.

[The_Decider]

Yep, I have downloaded plenty of viruses and trojans(on purpose) and never got exploited?

Why?

Because I work on a reasonably secure machine(Linux).

[DJoe10]

The OS platform may be a moot point in the not so distant future with rootkits targeting hardware/firmware. Completely independent of any OS. These attacks have been around for awhile, but this could well be the next generation.

[The_Decider]

It doesn't make the OS moot.

It is still software, even if it "targets" hardware(AKA firmware and drivers), it is still OS specific.

[DJoe10]

And yes, Mac OS is vulnerable to this.

[The_Decider]

Really? Prove that it can run on OSX, much less be installed without the users knowledge and consent.

[dgrant6230]

The conventional wisdom is that Mac OS X is not attacked because it is such a small fraction of the installed base that the bad guys can't be bothered writing attack software for it. I wonder if this makes sense. Why wouldn't they write for a sub-population that is _completely_ unprotected by antimalware? Essentially no Mac users install AV or any other form of protection. Sure the target audience is small but essentially every member of the sub-population is immediately infectable and the user would never know. Seems to me to be the perfect setup if I wanted to have my Trojan stay active and undetected for as long as possible.

Or it could be that the Mac OS is inherently very difficult to write malware for that will infect and spread invisibly. So difficult in fact that so far no one has managed to do it.

Given my argument and the history of malware, I think the 2nd choice is more likely.

[DJoe10]

No one? According to Apple, Mac OS X Panther "offers breakthroughs in innovation, ease of use and reliability". Apparently, these breakthroughs are also providing fertile ground for malware. Since its release in October 2003, Panther has been found vulnerable to several possible exploits. The first involves executing code via the ID3 tag rendered when an MP3 file is opened in Finder. The proof of concept Trojan demonstrating this vulnerability has been dubbed MP3Concept by antivirus vendors. A second Trojan was discovered spreading on the P2P filesharing networks LimeWire and Gnutella and involved a fake Word 2004 demo that erases the user's Home folder. Three vulnerabilities involving the URI Handler have been rated Extremely Critical by security consultants Secunia, all of which allow for arbitrary code to be executed on the system remotely.

I make alot of money removing virii and recovering data from Mac's. Help my job security by not protecting yourself!

As for the rootkits...the answers are out there...go beyond the blue.

[gabeheim]

Remote execution? Actually local execution. At least, that's what it's called when a user action triggers the sequence of fork and exec calls that executes a new process from a code image. Remote execution typically applies to the ability to remotely execute code from a context in which it should not be possible, such as from a web browser, or a service, such as the many infamous windows services that have been exploited time and again. Most trojans don't fall under this, even drive by downloads, and they use social engineering to get someone to execute something. I don't have a mac, so I can't speak for their current model, but Panther is rather old, and the ability to get a user to execute code masquerading as a file format has been greatly diminished.

Anyways, so far, no one has made a virus, worm, or trojan for Linux or Mac that is more effective than sending people an email saying "To improve the performance of your computer, type rm -rf / at the command line". You'll probably snag more idiots that way.

[dgrant6230]

@DJoe10

Interesting. Would you be willing to share the names of the virii you have removed from Macs? I wasn't aware of any in circulation.

Thanks,
DG

[Penguinisto]

@DJoe10: Proof, please. No known online malware DB has OSX listed as a variant.

[solitare_pax]

Here's the best solution for those worried sick about getting computer viruses, whether you are using Windows, Mac OS X, UNIX, LINIX or MS-DOS

Get off the internet, and start using a typewriter :)

[phrelin]

Great idea. Now what keys on my typewriter can I use to transfer funds to my checking account?:>}

[comment1]

phrelin,
I would suggest you go to the bank, as I do. Security, then, becomes the the bank's business.

If you have watched the news in times past, there was a show which explained how the US gov't was intercepting messages between banks and changing data to prevent criminals from using interbank transfers. Having your paper receipt reduces your hassles. Yes, it's more time consuming, but it reduces risk...Remember the US tapped the trans-Atlantic cable going into Russia? For ten years we laughed. :)