BBC News reports that a trojan, labeled Sinowal, has been crawling across the Internet. The Trojan is notorious for stealing bank account details. Sean Brady of RSA‘s security division reports that “more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.[1]” According to Sophos researchers, 14 computers per seconds were infected by Sinowal in 2008[2].
The Trojan is also known as Torpig and Mebroot and has now been discovered 2 years ago, in 2006, which means it has been collecting information for now 2 years. It uses the drive-by download method to download itself, which means it download and install itself without the user’s knowledge. In the case of this particular Trojan, this is done mainly thought malicious links and HTML injection attacks.
The Trojan installs itself on the master boot record and his polymorphic, making it hard to detect and to remove[3]. RSA suspects that the Sinowal had strong ties to a cybercriminal gang known as the Russian Business Network.
[1] “Trojan virus steals banking info”, Maggie Shiels, BBC News, October 31, 2008, http://news.bbc.co.uk/2/hi/technology/7701227.stm (accessed on November 2, 2008)
[2] Idem
[3] “RSA Cracks Down on Legendary Sinowal Trojan“, Richard Adhikari, Internet News, October 31, 2008, http://www.internetnews.com/security/article.php/3782221/RSA+Cracks+Down+on+Legendary+Sinowal+Trojan.htm (accessed on November 2, 2008)