Long back i prepared a presentation sinowal trojan from pdf files found in the net.
It will be more interesting to share this to you all!
Sinowal
Introduction
•Researchers
had an idea that it was theoretically possible but there were no
solutions seen yet. But in 2005, researchers Derek Soeder and Ryan
Permeh of eEye Digital Security showed the idea was possible by
producing proof-of-concept code, called “BootRoot”•
Before 2005 there were no known rootkits for Windows (any 32 bit version of that operation system) which infected the master boot record (MBR).
Sinowal (also known as Mebroot or Torpig) trojan
•It was first reported in 2006 as harmless Bootkit•Bootkit means “A kernel-mode rootkit variant called a bootkit “. bootkit replaces the legitimate boot loader with one controlled by an attacker.•its own modifications which•makes this trojan dangerous for a common user. •Sinowal steals bank credentials, credit and debit card details
•New wave of news about Sinowal shocks the world (of course there were news about this trojan and its modifications throughout 2006-2008 period but now they have made a huge discovery on the stolen data). According to the RSA FraudAction Research Laboratory, this trojan has stolen and compromised login credentials from about 500,000 online bank accounts and credit and debit cards over the course of nearly three years
Detailed analysis of Sinowal trojan
•Sinowal is the combination of bootkit and backdoor.•bootkit which makes this trojan almost invisible on your system.•backdoor which attempts to steal as much user data as possible (most effort done on collecting user data to a range of online banking systems).
Bootkit
•The hardest part for trojan here is to gain access to MBR. According to Microsoft, Sinowal is trying to modify MBR using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access.•Using the CreateFile API in this way (for direct/raw disk access) requires administrative privileges.
•when this trojan succeeds in infecting the MBR, instructions pass control to the main part of the rootkit which is placed on several hard disk sectors and which is not represented as files in the system. This part monitors the already loaded Windows operating system and when reading, it hides the infected MBR and the “dirty” sectors by presenting clean ones instead. It does this by intercepting and substituting system functions.
Figure 2: Infected (with Sinowal) system startup
Backdoor
•In
addition to hiding its presence in the system, the malicious code
installs a backdoor in Windows. Upon execution, it drops some files into
the system•• %programfiles%\common files\microsoft shared\web
folders•\ibm<5-digit randrom number>.dll -
Trojan-PSW.Win32.Sinowal.co•• %programfiles%\common files\microsoft
shared\web folders•\ibm<5-digit randrom number>.dll -
Trojan-PSW.Win32.Sinowal.co•• %windir%\temp\$_2341233.tmp••
%windir%\temp\$_2341234.tmp•• %windir%\temp\$_2341235.tmp••
%windir%\temp\$b17a2e8.tmp
•It installs itself as a service and adds this Registry key launch point•Key:HKLM\System\ControlSet001\Services\gb•File: %programfiles%\common files\microsoft shared\web folders•\ibm<5-digit random number>.dll
•This trojan steals system and account information.•Stolen information may be :•IMAP/POP3/SMTP username, passwords, server information from mail clients•Bookmarks•E-mail addresses from the Windows Address Book•Passwords and other data stored from FTP clients
•It also monitors web browser such as Internet Explorer, Firefox, Opera for online banking information upon access on the banking sites.•While user accessing on the banking site, it will redirect to fake page and collects the information.
Figure 3: Sinowal modifications since its first version
Figure 4: Number of stolen bank accounts since first version of Sinowal
Information Stealing Activity
• This Trojan family steals information from browsers,immediately uploading data to a remote server.
• VeriSign iDefense attempted to prompt the Trojan tosteal information and play man in the middle to get
• additional data by infecting a lab computer andvisiting several sites.
• This Trojan does target multiple ABN ANBRO servers forinformation theft. In limited lab tests, VeriSign
• iDefense confirmed that the Trojan does attempt tocommunicate with a remote command and control
• (C&C) server, but did not perform anyman-in-the-middle phishing attacks when attempting to log on with
• invalid credentials to the banking site. A list oftrigger strings found in the configuration files does not
• contain ABN AMRO strings. However, multiple domainsaffiliated with ABN AMRO do exist in the
• configuration file for the Trojan. It is likely thatthe Trojan is designed to steal information or interact with a
• legitimate session following authentication to thesite.
• A decryption of the Trojan configuration files showsthe following targeted ABN AMRO and subsidiary sites:
• 1. abnamro.an
• 2. abnamro.be
• 3. abnamro.ch
• 4. abnamro.com
• 5. abnamro.com.sg
• 6. abnamro.lu
• 7. abnamro.nl
• 8. abnamroprivatebanking.com
• 9. www.singapore.insight.abnamroprivatebanking.com
• 10. abnamro
• 11. abnamro.com
• 12. lasallebank.com
• 13. vip.lasallebank.com
• 14. onlinebanking.lasallebank.com
• 15. lasallefederal
• 16. mybank.bybank.it
• 17. wwws.bancoreal.com.br
• 18. bancoreal.com.br
• 19. cashproweb.com
• 20. cashproweb.com
• 21. cashproweb
• The Trojan contains several strings related topotential trigger words for information theft:
• • login
• • pswd
• • userid
• • accountnumber
• • passwd
• • username
• • pop3
Bibliography
• 1. Mebroot proves to be a tough rootkit to crack. [WWW]http://www.computerworld.com/action/
• article.do?command=viewArticleBasic&articleId=9066585
• 2. RSA Unravels Sinowal Trojan. [WWW]
• http://www.enterpriseitplanet.com/security/news/article.php/3783641
• 3. Sinowal Trojan Stealing Banking Information. [WWW]http://news.digitaltrends.com/newsarticle/
• 18302/sinowal-trojan-stealing-banking-information
• 4. Viruslist.com – Malware evolution: January – March2008. [WWW]
• http://www.viruslist.com/en/analysis?pubid=204792002
• 5. Anti-Malware Engineering Team : MBR rootkit:VirTool:WinNT/Sinowal.A report. [WWW]
• http://blogs.technet.com/antimalware/archive/2008/01/10/mbr-rootkit-virtool-winnt-sinowal-areport.
• aspx
• 6. Russian Business Network Study. / David Bizeul [WWW]
• http://www.bizeul.org/files/RBN_study.pdf
• 7. F-Secure Malware Information Pages:Trojan-PSW:W32/Sinowal.CP. [WWW] http://www.fsecure.
• com/v-descs/trojan-psw_w32_sinowal_cp.shtml
Thanks to the authors of pdf where refered it!
(TALLINN UNIVERSITY OF TECHNOLOGY
Faculty of Information Technology
Department of Computer Science
Chair of Network Software-
Student: Konstantin Saveljev
Student code: 030548IAPM
Supervisor: Toomas Lepik)
(Ken Dunham, Director of the Rapid Response Team
kdunham@verisign.com)
Post made by
newworld
It will be more interesting to share this to you all!
Sinowal
Introduction
Before 2005 there were no known rootkits for Windows (any 32 bit version of that operation system) which infected the master boot record (MBR).
Sinowal (also known as Mebroot or Torpig) trojan
•It was first reported in 2006 as harmless Bootkit•Bootkit means “A kernel-mode rootkit variant called a bootkit “. bootkit replaces the legitimate boot loader with one controlled by an attacker.•its own modifications which•makes this trojan dangerous for a common user. •Sinowal steals bank credentials, credit and debit card details
•New wave of news about Sinowal shocks the world (of course there were news about this trojan and its modifications throughout 2006-2008 period but now they have made a huge discovery on the stolen data). According to the RSA FraudAction Research Laboratory, this trojan has stolen and compromised login credentials from about 500,000 online bank accounts and credit and debit cards over the course of nearly three years
Detailed analysis of Sinowal trojan
•Sinowal is the combination of bootkit and backdoor.•bootkit which makes this trojan almost invisible on your system.•backdoor which attempts to steal as much user data as possible (most effort done on collecting user data to a range of online banking systems).
Bootkit
•The hardest part for trojan here is to gain access to MBR. According to Microsoft, Sinowal is trying to modify MBR using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access.•Using the CreateFile API in this way (for direct/raw disk access) requires administrative privileges.
•when this trojan succeeds in infecting the MBR, instructions pass control to the main part of the rootkit which is placed on several hard disk sectors and which is not represented as files in the system. This part monitors the already loaded Windows operating system and when reading, it hides the infected MBR and the “dirty” sectors by presenting clean ones instead. It does this by intercepting and substituting system functions.
Figure 2: Infected (with Sinowal) system startup
Backdoor
•It installs itself as a service and adds this Registry key launch point•Key:HKLM\System\ControlSet001\Services\gb•File: %programfiles%\common files\microsoft shared\web folders•\ibm<5-digit random number>.dll
•This trojan steals system and account information.•Stolen information may be :•IMAP/POP3/SMTP username, passwords, server information from mail clients•Bookmarks•E-mail addresses from the Windows Address Book•Passwords and other data stored from FTP clients
•It also monitors web browser such as Internet Explorer, Firefox, Opera for online banking information upon access on the banking sites.•While user accessing on the banking site, it will redirect to fake page and collects the information.
Figure 3: Sinowal modifications since its first version
Figure 4: Number of stolen bank accounts since first version of Sinowal
Information Stealing Activity
• This Trojan family steals information from browsers,immediately uploading data to a remote server.
• VeriSign iDefense attempted to prompt the Trojan tosteal information and play man in the middle to get
• additional data by infecting a lab computer andvisiting several sites.
• This Trojan does target multiple ABN ANBRO servers forinformation theft. In limited lab tests, VeriSign
• iDefense confirmed that the Trojan does attempt tocommunicate with a remote command and control
• (C&C) server, but did not perform anyman-in-the-middle phishing attacks when attempting to log on with
• invalid credentials to the banking site. A list oftrigger strings found in the configuration files does not
• contain ABN AMRO strings. However, multiple domainsaffiliated with ABN AMRO do exist in the
• configuration file for the Trojan. It is likely thatthe Trojan is designed to steal information or interact with a
• legitimate session following authentication to thesite.
• A decryption of the Trojan configuration files showsthe following targeted ABN AMRO and subsidiary sites:
• 1. abnamro.an
• 2. abnamro.be
• 3. abnamro.ch
• 4. abnamro.com
• 5. abnamro.com.sg
• 6. abnamro.lu
• 7. abnamro.nl
• 8. abnamroprivatebanking.com
• 9. www.singapore.insight.abnamroprivatebanking.com
• 10. abnamro
• 11. abnamro.com
• 12. lasallebank.com
• 13. vip.lasallebank.com
• 14. onlinebanking.lasallebank.com
• 15. lasallefederal
• 16. mybank.bybank.it
• 17. wwws.bancoreal.com.br
• 18. bancoreal.com.br
• 19. cashproweb.com
• 20. cashproweb.com
• 21. cashproweb
• The Trojan contains several strings related topotential trigger words for information theft:
• • login
• • pswd
• • userid
• • accountnumber
• • passwd
• • username
• • pop3
Bibliography
• 1. Mebroot proves to be a tough rootkit to crack. [WWW]http://www.computerworld.com/action/
• article.do?command=viewArticleBasic&articleId=9066585
• 2. RSA Unravels Sinowal Trojan. [WWW]
• http://www.enterpriseitplanet.com/security/news/article.php/3783641
• 3. Sinowal Trojan Stealing Banking Information. [WWW]http://news.digitaltrends.com/newsarticle/
• 18302/sinowal-trojan-stealing-banking-information
• 4. Viruslist.com – Malware evolution: January – March2008. [WWW]
• http://www.viruslist.com/en/analysis?pubid=204792002
• 5. Anti-Malware Engineering Team : MBR rootkit:VirTool:WinNT/Sinowal.A report. [WWW]
• http://blogs.technet.com/antimalware/archive/2008/01/10/mbr-rootkit-virtool-winnt-sinowal-areport.
• aspx
• 6. Russian Business Network Study. / David Bizeul [WWW]
• http://www.bizeul.org/files/RBN_study.pdf
• 7. F-Secure Malware Information Pages:Trojan-PSW:W32/Sinowal.CP. [WWW] http://www.fsecure.
• com/v-descs/trojan-psw_w32_sinowal_cp.shtml
Thanks to the authors of pdf where refered it!
(TALLINN UNIVERSITY OF TECHNOLOGY
Faculty of Information Technology
Department of Computer Science
Chair of Network Software-
Student: Konstantin Saveljev
Student code: 030548IAPM
Supervisor: Toomas Lepik)
(Ken Dunham, Director of the Rapid Response Team
kdunham@verisign.com)
Post made by
newworld
No comments:
Post a Comment