Posted by: Ken Harthun
Cybercrime, Malware, Microsoft Windows, Rootkit, Security, Trojan, Vulnerabilities
Sinowal, also known as “Mebroot” and “Torpig” to various antivirus companies, is a dangerous rootkit that uses the computer’s Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP). The Trojan typically infects Windows XP PCs via malicious websites using code that exploits vulnerabilities in Adobe Reader, Flash Player, or Apple QuickTime–vulnerabilities that have already been patched. Once the Trojan gets on your system, it does an interesting little dance to prevent detection. Windows Secrets writer Woody Leonhard describes Sinowal’s stealthy behavior in his November 20, 2008 article, “Don’t be a victim of Sinowal – the super-Trojan:”
“The key to Sinowal/Mebroot’s ‘success’ is that it’s so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn’t run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn’t start until 10 minutes after that.
“Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process.”
Also contributing to the Trojan’s effectiveness is that it’s constantly changing. Washington Post journalist Brian Krebs posted a chilling overview of Sinowal’s criminal mischief in his October 31, 2008 column, “Virtual Heist Nets 500,000+ Bank, Credit Accounts:”
“Sinowal…constantly morphs its appearance to slip past security software. Between April and October, researchers spotted an average of 60 to 80 new Sinowal variants per month…
“On Oct. 21, a new Sinowal variant was submitted to Virustotal.com, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs – or 28.5 percent – identified it as such or even flagged it as suspicious.”
Very scary, but here are seven things you can do to protect yourself:
- Apply all security patches to Windows XP.
- Apply all patches to third-party software, particularly Adobe Reader, Flash Player, and Apple QuickTime. These are the main avenues of infection.
- Make sure your antivirus detection definitions are up to date.
- Create a limited user account and use it to browse the web.
- Only visit websites you trust.
- Run your browser in a sandbox.
- Switch to Vista–it’s not currently vulnerable.
As always, constant vigilance is necessary on the Wild, Wild, Web.