MBR Trojan Approaching the 3-Year Mark

← Back to Stories (view on slashdot.org)

MBR Trojan Approaching the 3-Year Mark

Posted by kdawson on Saturday November 1, 2008 @04:02PM from the half-a-million-ain't-chump-change dept.

bl8n8r writes "Still going strong since February 2006, the 'Sinowal' Master Boot Record infector (also called 'Torpig' and 'Mebroot' by various anti-virus companies) has compromised more than half a million financial accounts. An HTML injection engine adds fields to login pages to compromise credentials. Injection is triggered by the Web addresses — more than 2,700 bank and e-commerce sites are hard-coded into the malware. 'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.' The majority of anti-virus and anti-malware scanners do not detect this threat."

28 of 165 comments (clear)

Min score:

Reason:

Sort:

dupe by symbolset · 2008-11-01 16:04 · Score: 2, Informative

No point in commenting on this since the previous story is still on the main page.

--
Help stamp out iliturcy.
1. Re:dupe by zappepcs · 2008-11-01 16:14 · Score: 4, Insightful
  
  There is another reason for not really needing to comment: Slashdot needs a special tag for stories that include this implicitly or by implication. That information is:
  
  The majority of anti-virus and anti-malware scanners do not detect this threat.
  For such stories, we need to call bullshit and throw spam like emails at the majority of anti-virus company's email servers.
  It's one thing to say you are selling really nice tasting lemonade that helps your body fight disease by assisting your body with vitamin C. It's another to say you don't need to take anything else to help your body by our lemonade. That is the trouble with non-F/OSS software; they claim to have the answers. This is no better than selling snake oil IMO when you consider the condition of many if not most home users PC systems.
  There are many times in the USA when the fucking cure is worse than the disease. Antivirus companies are part of that 'issue'
  
  --
  Support NYCountryLawyer RIAA vs People
2. Re:dupe by symbolset · 2008-11-01 16:24 · Score: 5, Interesting
  
  Actually, it's correct. With rootkits, the rootkit inserts itself into the processes of the operating system as it loads. If the AV attempts to read the boot block, it feeds the AV the boot block that it saved when it installs itself. It excludes itself from the process listing. It prevents access to memory where its functions are stored. It really is bulletproof.
  With a bug like this one you usually have to boot to some other media (usually read-only) and run a scan against the disk without using the compromised operating system. In short, they're a pain in the butt.
  
  --
  Help stamp out iliturcy.
3. Re:dupe by zappepcs · 2008-11-01 16:39 · Score: 4, Insightful
  
  You know that part on the label on cold medicines that says not to operate heavy machinery? When you buy an antivirus software package, are there any warning labels? Nope. This is what leads to my complaint. There are large numbers of people that think their original one year license for Symantec et al is good enough for the life of the PC, and nobody is telling them any different. Nor is anyone telling them that what they got for free with the PC will not keep up with malware, and that they are going to have to keep paying and paying if they want to use that program. This is a large portion of why Windows machines are so vulnerable. Even though Windows fanbois like to claim that Linux is for advanced users and not average users, those same users are making Windows a target for virus writers. The other portion is the vast security holes left in Windows production software.
  Antivirus companies and MS will NEVER make Windows safe for two reasons: Nobody really wants to pay a yearly subscription and the people they sell to have NO FUCKING CLUE how to keep their machine(s) safe. You and I might know how to get rid of a MBR virus, but aunt bettie doesn't, and won't without a lot of training. FerChrisSakes, you first have to explain what a boot record is. Does training come with a Windows license? Do you need to pass a state level exam to operate a PC? nope. The problem will persist and will not get any better until antivirus companies start trying to educate. It will not get any better till your average Windows users understands that they have to work hard to administer their system to avoid infections and malware.
  Without education, the problem will continue... ad infinitum!
  That's why I think there should be a tag for it
  
  --
  Support NYCountryLawyer RIAA vs People
The majority of anti-virus/anti-malware? by morgan_greywolf · 2008-11-01 16:12 · Score: 5, Informative

Wow. ClamAV and AVG both detect Sinowal. Both are free as in beer and ClamAV is free as in speech.

--
My blog
1. Re:The majority of anti-virus/anti-malware? by symbolset · 2008-11-01 18:06 · Score: 3, Funny
  
  Not to put too fine a point on it, but it does appear that Sinowal is free as in beer as well.
  
  --
  Help stamp out iliturcy.
What efforts are being made to find the operators? by Animats · 2008-11-01 16:13 · Score: 5, Insightful

Since this thing is understood, it's possible to inject phony credit card numbers into the attack. If law enforcement and a bank worked together on this, they could inject flagged credit card numbers and watch where they were used, then make some arrests. For that matter, a denial of service attack could be made against the attacker by injecting huge numbers of bogus credit card numbers, the use of any of which triggered law enforcement attention.
Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area. This is what FBI Baltimore should be doing, instead of sending out child porno and seeing who bites.
Re:What efforts are being made to find the operato by NobleSavage · 2008-11-01 16:23 · Score: 2, Interesting

The CC numbers are probably sold through various layers of various criminal organizations. If they made arrests it would probably just be people at the end of the chain. Granted they could try to them to turn states evidence if they had any info that would lead back up the chain.
Re:What efforts are being made to find the operato by BrokenHalo · 2008-11-01 16:28 · Score: 2

Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area.

Sure, Bush will be gone, but that doesn't mean you'll get any decent management (if that isn't an oxymoron).

I won't go as far as to say that shit floats to the top (OK, maybe I will) but where else are you going to put all those unskilled workers other than management? ;-)
Re:What efforts are being made to find the operato by symbolset · 2008-11-01 16:29 · Score: 3, Interesting

That's cute. Their system employs double blind methods for getting your money from your account to their account, and they have infinite scale. Billions of phony accounts would not slow them down and would not impede their activity in the slightest.
There are strategies that could be employed, but neither candidate is clueful enough to find someone who knows what they are. The government is not going to descend from on high and make the Internet a nice technocolor paradise. It's rough out here. Fend for yourself.
Man, will I be glad when silly season is over and people quit trying to insert politics into every issue.

--
Help stamp out iliturcy.
No surprise by kent_eh · 2008-11-01 16:45 · Score: 5, Insightful

'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.'
Yet people still look at me like I'm a cave man when I refuse to do online banking...

--

---
"I can't complain, but sometimes still do..." Joe Walsh
1. Re:No surprise by Mascot · 2008-11-01 21:02 · Score: 5, Interesting
  
  You are a caveman if your bank belongs in the stone age and you don't switch to another.
  Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.
  I was shocked when I learned a lot of banks actually don't use such a system. It became apparent to me when a lot of people piped up about the World of Warcraft token based login by saying "now WoW has better security than my bank". What the... How are those banks permitted to handle money at all with such lax security routines?
2. Re:No surprise by Ihmhi · 2008-11-02 00:12 · Score: 2, Informative
  
  A buddy of mine works for a company that designs software for use in police cruisers and the stations. They can also cross-reference data between other systems.
  To access the master server where all of the cross-referenced data is aggregated, you need one of those tokens. For the uninformed, it's a small device about the size of a flash drive with a constantly rotating number that is in sync with an encryption scheme on the server. It rotates every 30-60 seconds as I recall.
  If it's good enough to secure the loads of personal information that's sure to be contained in said records, than why don't our banks employ such a system? It would certainly go a long way towards reducing fraud IMO.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
3. Re:No surprise by dkf · 2008-11-02 00:22 · Score: 2, Insightful
  
  If it's good enough to secure the loads of personal information that's sure to be contained in said records, than why don't our banks employ such a system?
  Oh that's an easy one. Banks don't do that because they reckon it is cheaper to reimburse people for the actions of fraudsters after the fact. It a sad day when doing the obviously fair and right thing is rejected on cost grounds; obviously the value of being honest is underrated by banks. I just so wish I was surprised.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
4. Re:No surprise by rcamans · 2008-11-02 01:58 · Score: 2, Interesting
  
  Actually, if one bank started using token-based, then all the other banks would be in the embarassing position of haveing to explain why they didn't. And the token bank would have to explain why they finally did. Banks do not like to talk about security and crime, because they are so weak. They do not want anybody thinking about banks and security and crime because some of those thinking people might start questioning bank security and crime.
  A very long time ago I dated a girl who was a bank teller at a drive-up window. So we were in my bed and she was telling me how she thought she deserved a few thousand bucks more, so she would take people's money and not deposit it. Eventually the bank would catch on, and let her go. Not prosecute her or anything, just let her go. So she would get a job at another bank, since that is what she already knew how to do. The bank would not tell ANYONE she was a bank crook, not even another bank. Why? because they cower in terror of anyone realizing this stuff happens. By the way, I immediately got up and hd my wallet.
  The majority of crime in most businesses (like retail, for example) is theft by employees. Why do you think banks are any different? If banks cannot coordinate the simplest system to keep thieves out of the bamks, how do you expect them to keep thieves out of banks?
  Some of what needs to be done about bank security is being done by Visa / Mastercard. They have a PCI DSS specification. That needs to be enhanced to include token based, and other security specifications that forces banks and all other money handling institutions to comply and clean up their acts.
  Like adding a database of bank workers who stole money, or loan officers who made bad loans to friends. Like setting up a special industry wide corporation that goes after banking criminals.
  
  --
  wake up and hold your nose
Re:What efforts are being made to find the operato by narcberry · 2008-11-01 16:50 · Score: 4, Interesting

The problem isn't our ability to detect and identify the criminals.
Our problem is convincing Russia and China to help us. Why would either be motivated to?
Quite frankly, maybe I'm being an ignoramus, but the international community should create internet blockades around nations that don't play nice.

--
Modding me -1 troll doesn't make me wrong.
whiskey and slashdot... by tjstork · 2008-11-01 17:09 · Score: 5, Funny

I just saw this line in the article about a three year old Trojan and I thought, man wouldn't that thing get kinda full at some point?

--
This is my sig.
Re:What efforts are being made to find the operato by BungaDunga · 2008-11-01 17:13 · Score: 2, Informative

Who says the people grabbing the card numbers are the ones who eventually use them? The guys controlling the virus probably just sell them en masse to someone else.
Re:What efforts are being made to find the operato by WTF+Chuck · 2008-11-01 17:18 · Score: 2, Interesting

FTA:

While the Sinowal authors no longer use RBN as a home base, Brady said his team could find no trace of a single Russian victim in the entire database of credentials and identities stolen from customers of hundreds of banks across the United States, Europe and Asia, and at least 27 other countries.
These guys aren't shitting where they eat, so why would the Russians have any incentive to cooperate?

--
Note - Liberal use of <sarcasm> tags may or may not need to be applied.
Re:What efforts are being made to find the operato by narcberry · 2008-11-01 17:26 · Score: 2, Insightful

While I agree, I would hope other nations uphold lawful behavior as a virtue, these men are still breaking Russian laws.
But it's the essence of corruption. We cannot expect Russia to help us. We cannot expect China to help us. So, why do we let them peddle their packets in our networks? That might motivate them, but it will definitely reduce the security risks we face.

--
Modding me -1 troll doesn't make me wrong.
Re:What efforts are being made to find the operato by KermodeBear · 2008-11-01 17:33 · Score: 2, Informative

Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area.
Yeah, because I'm sure that the priority of every president is credit card fraud.
I know that it's popular to blame Bush for all the ills of the world, but it is short sighted and unrealistic. If you want to bash him over things for which he is truly responsible, feel free. There's lots of material. Blaming him for this, though, is just lame.

--
Love sees no species.
clamav did NOT detect it by circletimessquare · 2008-11-01 17:50 · Score: 3, Informative

read the story again, it links to virustools, which lists the 10 out of 35 vendors that made the detection. antivir did (mine, phew)

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Re:What efforts are being made to find the operato by Jah-Wren+Ryel · 2008-11-01 17:58 · Score: 2, Insightful

I know that it's popular to blame Bush for all the ills of the world, but it is short sighted and unrealistic. If you want to bash him over things for which he is truly responsible, feel free. There's lots of material. Blaming him for this, though, is just lame.
One can certainly blame bush for focusing way too many resources on his war on terror and thus away from actual crimes like this one. Besides, nobody was "blaming him for this" they were blaming bush for not doing anything about this.

--
When information is power, privacy is freedom.
we need an antivirus vendor by circletimessquare · 2008-11-01 18:01 · Score: 2, Interesting

that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd
90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor
of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:we need an antivirus vendor by BlueStrat · 2008-11-01 18:35 · Score: 3, Informative
  
  that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd
  90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor
  of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)
  Why not simply boot into a live CD whenever you want to do online banking or other such sensitive tasks if you're that paranoid? Nearly all allow for writing to the hard drive, so it's not a problem to save any data you want around after the task is completed like online statements, etc. If you're really paranoid, use Anonym.OS put together by Kaos.Theory Security Research and based on OpenBSD with hard encryption and use of TOR as defaults?
  Download here: http://sourceforge.net/projects/anonym-os/
  More information: http://kaos.to/cms/projects/releases/anonym.os-livecd.html
  Cheers!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Re:What efforts are being made to find the operato by symbolset · 2008-11-01 18:18 · Score: 2, Funny

Yes, you're being an ignoramus. That's ok. It was your turn. Last week was my turn.
The depth of my ignorance can be measured by the length of time I've been aghast at the carelessness and clue deficit of software engineers, system designers, corporate and government IT staff. We're over a quarter century now, so I must be really, really dumb.
Fortunately for me, in that I'm at least not unique.

--
Help stamp out iliturcy.
Re:Someone had to do it by Chris+Tucker · 2008-11-01 18:22 · Score: 2, Funny

You mean to say that this three year old Trojan ONLY affects machine running the Windows Operating System.
I'm shocked, shocked, I say!
"Botnets, spammers botnets!
What kind of boxes make up botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even ASUS, too!
Are boxes, found on botnets, all running Windows. FOO!"

--
Guaranteed! This comment 100% Anthrax free!
meh by symbolset · 2008-11-01 20:48 · Score: 2, Interesting

For this kind of work 512 bytes is huge. You have the resources of the BIOS, and you have to find one block: the block where the rest of your code begins. You have to load it and execute it. You're allowed to write the CHS address of this block in your boot block because the OS is never going to see it.
I doubt it takes even 50 bytes to do that. On the original PC I could do it in 30.

--
Help stamp out iliturcy.