Experts douse Sinowal Trojan hype

Crimeware underworld riddled with dodgy data

Security experts have poured cold water on media reports that claim some 20,000 Australian bank accounts have been compromised by the Sinowal Trojan.

Press releases circulating through the media over the past month claim the malware stole up to 300,000 bank account details without detection since February 2006.

The data was collected as part of a monthly fraud reports distributed by the RSA Fraudaction Research Lab based in Israel. The firm originally linked the Trojan to Russian criminal networks, but now claims the source behind the malware is unknown.

Sophos Asia Pacific head of technology Paul Ducklin said it is impossible to claim to establish how many bank accounts were compromised, and claimed Sinowal is a group of malware that has circulated for more than a decade.

“Sinowal (aka Torpig, Mebroot) is not a single piece of malware, any more than, say, Africa is a single country or Sydney a single suburb,” Ducklin said.

“Even back in 1990, when many people still didn't believe that viruses existed, and when those who did updated their software once every three months or so, no single active virus would have escaped detection for that long. So in 2008, that simply isn't going to happen.

Security researchers inject false [bank account] data just to screw up malware operations
“The data is not reliable because it is taken from raft of sources and not all [stolen] bank accounts are legitimate.”

Ducklin suggested a drop-site server, used by malware applications to deposit stolen information and recently discovered by RSA, was the source of the problem. Global spam recently fell by 75 percent following the removal of a drop site operating in a Californian hosting company.

In an online security blog RSA said a single gang was behind the Sinowal Trojan that had stolen the banking data, and labelled it “one of the most pervasive and advanced pieces of crimeware ever created”.

“Sinowal [has been] collecting and transmitting information for almost three years. [This] is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilise just one Trojan,” according to the Web site.

An expert in one of Australia's top security research firms, who requested anonymity, said the statistics will vary wildly between sources.

“The [criminals] don't trade bank account details like it is suggested — they have huge gigabyte log dumps of data containing dead credit cards, and faulty data,” he said.

“[Security] researchers inject false data into these logs when they are found just to screw up [malware] operations so there is no way to tell what accounts are legitimate.

“Issuing these releases are actually damaging to the [anti-malware] cause because the criminals move on and are harder to find.”

A spokesperson for RSA said a media release, part of its forthcoming threat reports, was sent out early because of the severity of the malware detected.

“The numbers come from our Israel labs and it is a bigger deal so it came out earlier,” the spokesperson said.

“It is about protecting our customers and notifying the industry.”

Securus Global CEO Drazen Drazic said the threat alerts are hyped to promoted security products.

"Every man and his dog has been telling us how their products will provide for ultimate protection for years. If they want to really blow us away, give us a guarantee, but we know we won’t get that," Drazic said.

Cybercrime is worth more $US100 billion a year according to the Australian High Tech Crime Centre, with Australia losing between $30 and $60 million a year to Advanced Fee Fraud, such as Nigerian phising scams.

Researchers claim some Sinowal/Torpig/Mebroot Trojan variants contain rootkits and are distributed via drive-by-downloads which exploit holes in operating systems and browsers.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Darren Pauli

Computerworld
Topics: rsa security, cybercrime, malware
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
Use WhistleOut's technology to compare:
Mobile phone plans & deals
Mobile phone models
Mobile phone carriers
Broadband plans & deals
Broadband providers
Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?