Win32/Sinowal - MBR Rootkit with...
HarryWaldron 1,015 posts since
Sep 11, 2002 Users should ensure their AV protection is up-to-date, as a new variant of this highly stealth rootkit
was launched during late October. Approximately 510,000 bank and credit card accounts have been impacted
based on analysis so far. Removal of MBR based malware is always difficult and may ultimately require a complete
reformatting of the hard drive and reinstallation of all software. It appears to spread through web based exploits, and
users should be cautious with weblinks in email or sites that they visit.
Win32/Sinowal - MBR Rootkit with Password stealer impacts 500,000 accounts
QUOTE: A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the
past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to
research to be published today. The discovery is among the largest stolen data caches ever recovered.
HOW IT SPREADS: When an unsuspecting Windows user visits one of these sites, the code left on the site tries to
install the Trojan using one of several known Web browser security holes, such as vulnerabilities found in popular
video and music player plug-ins like Macromedia Flash and Apple's QuickTime player.
IMPACT: RSA investigators found more than 270,000 online banking account credentials, as well as
roughly240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal
authors were using to set up their attacks
REMOVAL IS COMPLEX: Sinowal also is unique in that hides in the deepest recesses of a host computer,
an area known as the "Master Boot Record." The MBR is akin to a computer's table of contents, a file system
that loads even before the operating system boots up. According to security experts, many anti-virus programs will
remain oblivious to such a fundamental compromise. What's more, completely removing the Trojan from an infected
machine often requires reformatting the system and wiping any data stored on it.
Additional information below:
Win32/Sinowal - Rootkit based Password stealer http://blogs.technet.com/antimalware/archive/2008/01/10/mbr-
QUOTE: Win32/Sinowal is a family of password-stealing and backdoor trojans. These trojans may try to find a
cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in
Secure Sockets Layer (SSL) Web transactions. Some Win32/Sinowal components may also use advanced stealth
functionality, or try to perform certain operations from the context of a trusted process such as explorer.exe in
order to bypass local software-based firewalls.
Generated by Jive SBS on 2010-05-01-06:00