Slashdot Mirror

← Back to Stories (view on slashdot.org)

MBR Trojan Approaching the 3-Year Mark

Posted by kdawson on from the half-a-million-ain't-chump-change dept.

bl8n8r writes "Still going strong since February 2006, the 'Sinowal' Master Boot Record infector (also called 'Torpig' and 'Mebroot' by various anti-virus companies) has compromised more than half a million financial accounts. An HTML injection engine adds fields to login pages to compromise credentials. Injection is triggered by the Web addresses — more than 2,700 bank and e-commerce sites are hard-coded into the malware. 'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.' The majority of anti-virus and anti-malware scanners do not detect this threat."

11 of 165 comments (clear)

  1. Re:What efforts are being made to find the operato by NobleSavage · · Score: 2, Interesting

    The CC numbers are probably sold through various layers of various criminal organizations. If they made arrests it would probably just be people at the end of the chain. Granted they could try to them to turn states evidence if they had any info that would lead back up the chain.

  2. Re:dupe by symbolset · · Score: 5, Interesting

    Actually, it's correct. With rootkits, the rootkit inserts itself into the processes of the operating system as it loads. If the AV attempts to read the boot block, it feeds the AV the boot block that it saved when it installs itself. It excludes itself from the process listing. It prevents access to memory where its functions are stored. It really is bulletproof.

    With a bug like this one you usually have to boot to some other media (usually read-only) and run a scan against the disk without using the compromised operating system. In short, they're a pain in the butt.

    --
    Help stamp out iliturcy.
  3. Re:What efforts are being made to find the operato by symbolset · · Score: 3, Interesting

    That's cute. Their system employs double blind methods for getting your money from your account to their account, and they have infinite scale. Billions of phony accounts would not slow them down and would not impede their activity in the slightest.

    There are strategies that could be employed, but neither candidate is clueful enough to find someone who knows what they are. The government is not going to descend from on high and make the Internet a nice technocolor paradise. It's rough out here. Fend for yourself.

    Man, will I be glad when silly season is over and people quit trying to insert politics into every issue.

    --
    Help stamp out iliturcy.
  4. Re:What efforts are being made to find the operato by narcberry · · Score: 4, Interesting

    The problem isn't our ability to detect and identify the criminals.

    Our problem is convincing Russia and China to help us. Why would either be motivated to?

    Quite frankly, maybe I'm being an ignoramus, but the international community should create internet blockades around nations that don't play nice.

    --
    Modding me -1 troll doesn't make me wrong.
  5. Re:The majority of anti-virus/anti-malware? by Anonymous Coward · · Score: 1, Interesting

    only avg did.
    http://www.virustotal.com/analisis/e124e55a8ac21d5898e5181c4a82c543

  6. Re:What efforts are being made to find the operato by WTF+Chuck · · Score: 2, Interesting

    FTA:

    While the Sinowal authors no longer use RBN as a home base, Brady said his team could find no trace of a single Russian victim in the entire database of credentials and identities stolen from customers of hundreds of banks across the United States, Europe and Asia, and at least 27 other countries.

    These guys aren't shitting where they eat, so why would the Russians have any incentive to cooperate?

    --
    Note - Liberal use of <sarcasm> tags may or may not need to be applied.
  7. we need an antivirus vendor by circletimessquare · · Score: 2, Interesting

    that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd

    90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor

    of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  8. meh by symbolset · · Score: 2, Interesting

    For this kind of work 512 bytes is huge. You have the resources of the BIOS, and you have to find one block: the block where the rest of your code begins. You have to load it and execute it. You're allowed to write the CHS address of this block in your boot block because the OS is never going to see it.

    I doubt it takes even 50 bytes to do that. On the original PC I could do it in 30.

    --
    Help stamp out iliturcy.
  9. Re:No surprise by Mascot · · Score: 5, Interesting

    You are a caveman if your bank belongs in the stone age and you don't switch to another.

    Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.

    I was shocked when I learned a lot of banks actually don't use such a system. It became apparent to me when a lot of people piped up about the World of Warcraft token based login by saying "now WoW has better security than my bank". What the... How are those banks permitted to handle money at all with such lax security routines?

  10. ClamAV Live CD by Anonymous Coward · · Score: 1, Interesting
    ClamAV Live CD - works really, really well. If you have a network connection, it will allow you to download the latest signatures as well.

    See also Knoppix (and most other linux distributions with a live CD .iso).

  11. Re:No surprise by rcamans · · Score: 2, Interesting

    Actually, if one bank started using token-based, then all the other banks would be in the embarassing position of haveing to explain why they didn't. And the token bank would have to explain why they finally did. Banks do not like to talk about security and crime, because they are so weak. They do not want anybody thinking about banks and security and crime because some of those thinking people might start questioning bank security and crime.

    A very long time ago I dated a girl who was a bank teller at a drive-up window. So we were in my bed and she was telling me how she thought she deserved a few thousand bucks more, so she would take people's money and not deposit it. Eventually the bank would catch on, and let her go. Not prosecute her or anything, just let her go. So she would get a job at another bank, since that is what she already knew how to do. The bank would not tell ANYONE she was a bank crook, not even another bank. Why? because they cower in terror of anyone realizing this stuff happens. By the way, I immediately got up and hd my wallet.

    The majority of crime in most businesses (like retail, for example) is theft by employees. Why do you think banks are any different? If banks cannot coordinate the simplest system to keep thieves out of the bamks, how do you expect them to keep thieves out of banks?

    Some of what needs to be done about bank security is being done by Visa / Mastercard. They have a PCI DSS specification. That needs to be enhanced to include token based, and other security specifications that forces banks and all other money handling institutions to comply and clean up their acts.
    Like adding a database of bank workers who stole money, or loan officers who made bad loans to friends. Like setting up a special industry wide corporation that goes after banking criminals.

    --
    wake up and hold your nose