Crimeware Trojan Steals Bank Info

Dennis Faas's picture

Details of more than 500,000 online bank accounts and credit and debit cards have reportedly been stolen by a virus described as "one of the most advanced pieces of crimeware ever created." (Source:

The RSA Fraud Action Research Lab, part of EMC's security unit, discovered log-in information on more than 270,000 banking accounts and 240,000 credit and debit card accounts that had been compromised from hundreds of thousands of financial institution in countries including the U.S. the U.K., Australia and Poland by a cybercrime gang using the Sinowal Trojan, first detected in February 2006.

Trojan-PSW: W32/Sinowal.CP, also known as Torpig and Mebroot, drops and loads a password stealing component on the infected system and tries to steal account information from it. It's a rootkit based password stealer that also tries to steal information that is required to access certain online banks' and online payment systems' websites. Sinowal hides in the Master Boot Record (MBR) and removal is complex, oftentimes requiring you to reformat your system to wipe that data clean. (Source:

RSA says the trojan infected computers all over the globe and over 2,000 domains have been compromised, noting that this is a serious incident on a very noticeable scale and that they have seen an increase in the number of trojans and their variants, particularly in the United States and Canada.

RSA describes the Sinowal trojan as one of the most serious threats to anyone with an Internet connection because it uses "drive-by downloads" and users can get infected by visiting a website that has been booby-trapped with the Sinowal malicious code.

Surprisingly, Sinowal has quietly collected information for over two years. RSA researchers also said that the trojan's creators periodically release new variants to ensure that it stays ahead of detection.

RSA has tracked the trojan since 2006 and a lot is known about its design and infrastructure, but little is known about who is behind it. Anecdotal evidence points to Russia and Eastern Europe, but no one knows for sure because the group is able to use the web to cloak its identity. However, Russia was not affected by the trojan.

In April 2007, Google researchers discovered hundreds of thousands of web pages that initiated drive-by downloads, estimating that one in ten of the 4.5 million pages it analysed were suspect. In 2008, Sophos researchers reported finding more than 6,000 newly infected web pages every day, or about one every 14 seconds.

Attacks are on the increase, but there are some simple steps users can take to protect their information besides using security software --- such as thinking before you link, observing where you are going on the web, and being wary when visiting bank or financial web pages that start asking for different forms of authentication such as your social security number --- basically, use common sense.

RSA is co-operating with banks and financial institutions all over the world and has passed the information about the trojan to law enforcement agencies.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet