Experts douse Sinowal Trojan hype

Crimeware underworld riddled with dodgy data

Security experts have poured cold water on media reports that claim some 20,000 Australian bank accounts have been compromised by the Sinowal Trojan.

Press releases circulating through the media over the past month claim the malware stole up to 300,000 bank account details without detection since February 2006.

The data was collected as part of a monthly fraud reports distributed by the RSA Fraudaction Research Lab based in Israel. The firm originally linked the Trojan to Russian criminal networks, but now claims the source behind the malware is unknown.

Sophos Asia Pacific head of technology Paul Ducklin said it is impossible to claim to establish how many bank accounts were compromised, and claimed Sinowal is a group of malware that has circulated for more than a decade.

“Sinowal (aka Torpig, Mebroot) is not a single piece of malware, any more than, say, Africa is a single country or Sydney a single suburb,” Ducklin said.

“Even back in 1990, when many people still didn't believe that viruses existed, and when those who did updated their software once every three months or so, no single active virus would have escaped detection for that long. So in 2008, that simply isn't going to happen.

Security researchers inject false [bank account] data just to screw up malware operations

“The data is not reliable because it is taken from raft of sources and not all [stolen] bank accounts are legitimate.”

Ducklin suggested a drop-site server, used by malware applications to deposit stolen information and recently discovered by RSA, was the source of the problem. Global spam recently fell by 75 percent following the removal of a drop site operating in a Californian hosting company.

In an online security blog RSA said a single gang was behind the Sinowal Trojan that had stolen the banking data, and labelled it “one of the most pervasive and advanced pieces of crimeware ever created”.

“Sinowal [has been] collecting and transmitting information for almost three years. [This] is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilise just one Trojan,” according to the Web site.

An expert in one of Australia's top security research firms, who requested anonymity, said the statistics will vary wildly between sources.

“The [criminals] don't trade bank account details like it is suggested — they have huge gigabyte log dumps of data containing dead credit cards, and faulty data,” he said.

“[Security] researchers inject false data into these logs when they are found just to screw up [malware] operations so there is no way to tell what accounts are legitimate.

“Issuing these releases are actually damaging to the [anti-malware] cause because the criminals move on and are harder to find.”

A spokesperson for RSA said a media release, part of its forthcoming threat reports, was sent out early because of the severity of the malware detected.

“The numbers come from our Israel labs and it is a bigger deal so it came out earlier,” the spokesperson said.

“It is about protecting our customers and notifying the industry.”

Securus Global CEO Drazen Drazic said the threat alerts are hyped to promoted security products.

"Every man and his dog has been telling us how their products will provide for ultimate protection for years. If they want to really blow us away, give us a guarantee, but we know we won’t get that," Drazic said.

Cybercrime is worth more $US100 billion a year according to the Australian High Tech Crime Centre, with Australia losing between $30 and $60 million a year to Advanced Fee Fraud, such as Nigerian phising scams.

Researchers claim some Sinowal/Torpig/Mebroot Trojan variants contain rootkits and are distributed via drive-by-downloads which exploit holes in operating systems and browsers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags rsa securitymalwarecybercrime

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Darren Pauli

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?