Slashdot Mirror

← Back to Stories (view on slashdot.org)

MBR Trojan Approaching the 3-Year Mark

Posted by kdawson on from the half-a-million-ain't-chump-change dept.

bl8n8r writes "Still going strong since February 2006, the 'Sinowal' Master Boot Record infector (also called 'Torpig' and 'Mebroot' by various anti-virus companies) has compromised more than half a million financial accounts. An HTML injection engine adds fields to login pages to compromise credentials. Injection is triggered by the Web addresses — more than 2,700 bank and e-commerce sites are hard-coded into the malware. 'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.' The majority of anti-virus and anti-malware scanners do not detect this threat."

3 of 165 comments (clear)

  1. Re:dupe by symbolset · · Score: 5, Interesting

    Actually, it's correct. With rootkits, the rootkit inserts itself into the processes of the operating system as it loads. If the AV attempts to read the boot block, it feeds the AV the boot block that it saved when it installs itself. It excludes itself from the process listing. It prevents access to memory where its functions are stored. It really is bulletproof.

    With a bug like this one you usually have to boot to some other media (usually read-only) and run a scan against the disk without using the compromised operating system. In short, they're a pain in the butt.

    --
    Help stamp out iliturcy.
  2. Re:What efforts are being made to find the operato by narcberry · · Score: 4, Interesting

    The problem isn't our ability to detect and identify the criminals.

    Our problem is convincing Russia and China to help us. Why would either be motivated to?

    Quite frankly, maybe I'm being an ignoramus, but the international community should create internet blockades around nations that don't play nice.

    --
    Modding me -1 troll doesn't make me wrong.
  3. Re:No surprise by Mascot · · Score: 5, Interesting

    You are a caveman if your bank belongs in the stone age and you don't switch to another.

    Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.

    I was shocked when I learned a lot of banks actually don't use such a system. It became apparent to me when a lot of people piped up about the World of Warcraft token based login by saying "now WoW has better security than my bank". What the... How are those banks permitted to handle money at all with such lax security routines?