One Sinowal trojan + one gang = hundreds of thousands of compromised accountS

Jump to navigation Jump to search

(Publication) Google search: [1]

One Sinowal trojan + one gang = hundreds of thousands of compromised accountS
Botnet Sinowal, Torpig
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2008 / 2008-10-31
Editor/Conference RSA
Link entry.aspx?id=1378 (Archive copy)
Author RSA FraudAction Research Lab
Type Blogpost


The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.

We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. There is generally more known about the sources of other Trojans. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2008BFR4741,
   editor = {RSA},
   author = {RSA FraudAction Research Lab},
   title = {One Sinowal trojan + one gang = hundreds of thousands of compromised accountS},
   date = {31},
   month = Oct,
   year = {2008},
   howpublished = {\url{}},