Slashdot Mirror

← Back to Stories (view on slashdot.org)

MBR Trojan Approaching the 3-Year Mark

Posted by kdawson on from the half-a-million-ain't-chump-change dept.

bl8n8r writes "Still going strong since February 2006, the 'Sinowal' Master Boot Record infector (also called 'Torpig' and 'Mebroot' by various anti-virus companies) has compromised more than half a million financial accounts. An HTML injection engine adds fields to login pages to compromise credentials. Injection is triggered by the Web addresses — more than 2,700 bank and e-commerce sites are hard-coded into the malware. 'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.' The majority of anti-virus and anti-malware scanners do not detect this threat."

6 of 165 comments (clear)

  1. The majority of anti-virus/anti-malware? by morgan_greywolf · · Score: 5, Informative

    Wow. ClamAV and AVG both detect Sinowal. Both are free as in beer and ClamAV is free as in speech.

    --
    My blog
  2. What efforts are being made to find the operators? by Animats · · Score: 5, Insightful

    Since this thing is understood, it's possible to inject phony credit card numbers into the attack. If law enforcement and a bank worked together on this, they could inject flagged credit card numbers and watch where they were used, then make some arrests. For that matter, a denial of service attack could be made against the attacker by injecting huge numbers of bogus credit card numbers, the use of any of which triggered law enforcement attention.

    Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area. This is what FBI Baltimore should be doing, instead of sending out child porno and seeing who bites.

  3. Re:dupe by symbolset · · Score: 5, Interesting

    Actually, it's correct. With rootkits, the rootkit inserts itself into the processes of the operating system as it loads. If the AV attempts to read the boot block, it feeds the AV the boot block that it saved when it installs itself. It excludes itself from the process listing. It prevents access to memory where its functions are stored. It really is bulletproof.

    With a bug like this one you usually have to boot to some other media (usually read-only) and run a scan against the disk without using the compromised operating system. In short, they're a pain in the butt.

    --
    Help stamp out iliturcy.
  4. No surprise by kent_eh · · Score: 5, Insightful

    'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.'

    Yet people still look at me like I'm a cave man when I refuse to do online banking...

    --

    ---
    "I can't complain, but sometimes still do..." Joe Walsh
    1. Re:No surprise by Mascot · · Score: 5, Interesting

      You are a caveman if your bank belongs in the stone age and you don't switch to another.

      Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.

      I was shocked when I learned a lot of banks actually don't use such a system. It became apparent to me when a lot of people piped up about the World of Warcraft token based login by saying "now WoW has better security than my bank". What the... How are those banks permitted to handle money at all with such lax security routines?

  5. whiskey and slashdot... by tjstork · · Score: 5, Funny

    I just saw this line in the article about a three year old Trojan and I thought, man wouldn't that thing get kinda full at some point?

    --
    This is my sig.