Sinowal Trojan - How to detect it

Mountainman1863 · 11-01-2008, 02:01 PM

This is a bad one, very recently reported, and for which there are no easy removal techniqies yet, unless you believe reformatting your drive isn't too bad. It rests in the MBR (master boot record) of your boot drive until it is called upon by your 'securely' connecting with one of the programmed financial sites. Then it installs false text blocks requesting sensitive info, and once you've entered that (it's your bank, your account, and the yellow lock shows, right?), guess who its sends that data to? Not to your account. Further, it morphs into new signatures, I believe, possibly automatically or on interrogation by the perpetrators. Reportedly only a few antivirus programs can detect it and none can remove it. I got all this info from several sites reporting it last night.

I'd suppose many organizations are working on detection and removal techniques. Anyone here have some insight into what can be done now?

Mountainman1863 · 11-02-2008, 06:43 PM

Also called Torpig. Too dangerous NOt to know if you have it or are free of it. Hence, my post.

Mountainman1863 · 11-05-2008, 12:07 PM

A little more about how it works from this link ..... http://www.youtube.com/watch?v=YTAtvUnXNrU

tetonbob · 11-05-2008, 01:17 PM

This is not that new. What's new is the widespread reporting, based on a recent find of logged information.

http://www.theregister.co.uk/2008/10..._trojan_heist/

http://www.rsa.com/blog/blog_entry.aspx?id=1378

Many AntiVirus can identify this threat (droppers of the rootkit component), even if they can't all fix it.

Sinowal is also known as MBR rootkit

http://www.google.com/search?q=MBR%20rootkit

or mebroot

http://www.google.com/search?q=mebroot

It takes a dedicated rootkit scan to see this, and often takes dedicated tools to fix.

If you think your computer is infected....

Mountainman1863 · 11-05-2008, 02:54 PM

Thanks. I know it has been around since 2006, but I know I need to see if it is here.

Chr1$ · 11-11-2008, 06:00 AM

Quote:

Originally Posted by Mountainman1863

This is a bad one, very recently reported, and for which there are no easy removal techniqies yet, unless you believe reformatting your drive isn't too bad. It rests in the MBR (master boot record) of your boot drive until it is called upon by your 'securely' connecting with one of the programmed financial sites. Then it installs false text blocks requesting sensitive info, and once you've entered that (it's your bank, your account, and the yellow lock shows, right?), guess who its sends that data to? Not to your account. Further, it morphs into new signatures, I believe, possibly automatically or on interrogation by the perpetrators. Reportedly only a few antivirus programs can detect it and none can remove it. I got all this info from several sites reporting it last night.

I'd suppose many organizations are working on detection and removal techniques. Anyone here have some insight into what can be done now?

Theres hundreds of types of trojans like that out there. And newer ones being released.

And btw it's not the trojan itself, that remains undetectable, but techniques attackers use to bypass personal security. Like Packers/crypters/ or polymorphic engines.

Packers, and crypters can encrypt servers, from being detected. POLY'a can make trojans stealthy, and keep them undetected longer, by constantly encrypting code, functions.

Recommendation a good firewall ? but... firewalls can be easily bypassed by Process injection techniques(like DLL injection) fooling FW on thinking the application is safe to run.

The truth is no security is safe now a days. Not even virtual VM workstations or emulators. They can be bypassed. A lot of packers have a anti sandboxie functions now a days. And many vulnerabilities to bypass other emulators as well.

Best level of security is Common Sence.

Mountainman1863 · 11-11-2008, 09:37 AM

I recommend a good hardware and an up-to-date software firewall (bi-directional) and antivirus and anti-malware protection, along with windows and most other software, all kept up to date. And being very careful of just what info you are giving to whom. Crooks can buy SSL servers too.

The article stated that not many software pkgs detect and none remove the sinowal/torpig, once you've gotten it, that and its 'success' being the main differences.

Chr1$ · 11-12-2008, 03:17 AM

Hardware wouldn't provide much help. Firewalls are easy to bypass even the latest, and anti virus's as well.

Just use common sence and don't get infected lol.

11-01-2008, 02:01 PM	#1 (permalink)
Mountainman1863 Registered User Join Date: Dec 2007 Location: Syracuse Posts: 57 OS: XP Pro SP2 (both machines)	Sinowal Trojan - How to detect it This is a bad one, very recently reported, and for which there are no easy removal techniqies yet, unless you believe reformatting your drive isn't too bad. It rests in the MBR (master boot record) of your boot drive until it is called upon by your 'securely' connecting with one of the programmed financial sites. Then it installs false text blocks requesting sensitive info, and once you've entered that (it's your bank, your account, and the yellow lock shows, right?), guess who its sends that data to? Not to your account. Further, it morphs into new signatures, I believe, possibly automatically or on interrogation by the perpetrators. Reportedly only a few antivirus programs can detect it and none can remove it. I got all this info from several sites reporting it last night. I'd suppose many organizations are working on detection and removal techniques. Anyone here have some insight into what can be done now?

11-02-2008, 06:43 PM	#2 (permalink)
Mountainman1863 Registered User Join Date: Dec 2007 Location: Syracuse Posts: 57 OS: XP Pro SP2 (both machines)	Re: Sinowal Trojan - How to detect it Also called Torpig. Too dangerous NOt to know if you have it or are free of it. Hence, my post.

11-05-2008, 12:07 PM	#3 (permalink)
Mountainman1863 Registered User Join Date: Dec 2007 Location: Syracuse Posts: 57 OS: XP Pro SP2 (both machines)	Re: Sinowal Trojan - How to detect it A little more about how it works from this link ..... http://www.youtube.com/watch?v=YTAtvUnXNrU

11-05-2008, 01:17 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: Sinowal Trojan - How to detect it This is not that new. What's new is the widespread reporting, based on a recent find of logged information. http://www.theregister.co.uk/2008/10..._trojan_heist/ http://www.rsa.com/blog/blog_entry.aspx?id=1378 Many AntiVirus can identify this threat (droppers of the rootkit component), even if they can't all fix it. Sinowal is also known as MBR rootkit http://www.google.com/search?q=MBR%20rootkit or mebroot http://www.google.com/search?q=mebroot It takes a dedicated rootkit scan to see this, and often takes dedicated tools to fix. If you think your computer is infected.... __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-05-2008, 02:54 PM	#5 (permalink)
Mountainman1863 Registered User Join Date: Dec 2007 Location: Syracuse Posts: 57 OS: XP Pro SP2 (both machines)	Re: Sinowal Trojan - How to detect it Thanks. I know it has been around since 2006, but I know I need to see if it is here.

11-11-2008, 09:37 AM	#7 (permalink)
Mountainman1863 Registered User Join Date: Dec 2007 Location: Syracuse Posts: 57 OS: XP Pro SP2 (both machines)	Re: Sinowal Trojan - How to detect it I recommend a good hardware and an up-to-date software firewall (bi-directional) and antivirus and anti-malware protection, along with windows and most other software, all kept up to date. And being very careful of just what info you are giving to whom. Crooks can buy SSL servers too. The article stated that not many software pkgs detect and none remove the sinowal/torpig, once you've gotten it, that and its 'success' being the main differences.

11-12-2008, 03:17 AM	#8 (permalink)
Chr1$ Registered User Join Date: Nov 2008 Posts: 14 OS: Windows xp sp 3+Red Hat Linux 6.2E	Re: Sinowal Trojan - How to detect it Hardware wouldn't provide much help. Firewalls are easy to bypass even the latest, and anti virus's as well. Just use common sence and don't get infected lol.