February 11, 2009
Don’t be a victim of Sinowal, the super-Trojan
By Woody Leonhard
The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.
This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.
Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware's creators and includes many of the world's most popular banking and investment services.
That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.
Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal's criminal tendencies in his Oct. 31, 2008, column titled "Virtual Heist Nets 500,000+ Bank, Credit Accounts" — a headline that's hard to ignore. Krebs cites a detailed analysis by RSA's FraudAction Research Lab: "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts."
Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as "Mebroot," but Sinowal is the name you'll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn't clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot's the current villain.)
Microsoft's Robert Hensing and Scott Molenkamp blogged cialis generic best price about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its "BootRoot" project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.
I haven't even told you the scariest part yet.
Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS. (You'd think that Microsoft would've figured out a way to protect the MBR by now — but you'd be wrong.)
Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.
The key to Sinowal/Mebroot's "success" is that it's so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn't run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn't start until 10 minutes after that.
Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.
Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.
Wait, there's more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list.
Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.
So, what can you do to thwart this menace? Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.
Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.
Peter Kleissner told me, "I think Sinowal has been so successful because it's always changing … it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time."
Similarly, you can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer's review of free rootkit removers in May 22's Best Software column and Mark Edwards' review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)
Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.
First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan's creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.
Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.
In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn't infect Vista systems. Windows XP remains its primary target, because Vista's boot method is different and its User Account Control regime gets in the worm's way.
Don't look to your bank for Sinowal safeguards
So, you'd figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that's still harvesting accounts should send a shiver up any banker's spine.
I asked Rob Rosenberger about it, and he laughed. Rosenberger's one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.
"I'll be labeled a heretic for saying this, but … from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.
"Banks have dealt with this kind of fraud for many, many decades," Rosenberger continued. "Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud."
If the bankers aren't going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.
In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It's hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they've left the barn, so to speak.
The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.
The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it's hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP's successors (I use the term lightly) don't appear to have the same flaw.
This is short-sighted, however. It's only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.
If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says "I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup."
As Peter Kleissner puts it, "I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world."
Kleissner's in a good position to judge. He's a student himself, 18 years old. I'm glad he's on our side.