One Sinowal trojan + one gang = hundreds of thousands of compromised accountS

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

One Sinowal trojan + one gang = hundreds of thousands of compromised accountS
Botnet Sinowal, Torpig
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2008 / 2008-10-31
Editor/Conference RSA
Link http://www.rsa.com/blog/blog_entry.aspx?id=1378 (Archive copy)
Author RSA FraudAction Research Lab
Type Blogpost

Abstract

The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.

We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. There is generally more known about the sources of other Trojans. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN.

Bibtex

 @misc{Lab2008BFR4741,
   editor = {RSA},
   author = {RSA FraudAction Research Lab},
   title = {One Sinowal trojan + one gang = hundreds of thousands of compromised accountS},
   date = {31},
   month = Oct,
   year = {2008},
   howpublished = {\url{http://www.rsa.com/blog/blog_entry.aspx?id=1378}},
 }