I want to share my close encounter of the third kind with a trojan called Sinowal, also known as Mebroot or Torpig. The trojan is downright nasty, especially since it’s purposed to steal people’s identities and, more importantly, money. The fact that it’s been around for almost three years and still going strong speaks to its tenacity.

In the beginning

A friend of mine who just returned from Germany called me in total-panic mode. His notebook was crashing randomly, and he was slated to give an important presentation the next day. Could I help? No problem, I said. Leave the notebook with me and use one of my computers. Seeing an obvious opportunity, I made sure to get assurance of dinner at the restaurant of my choice before turning over one of my notebooks.

My friend’s presentation turned out fine, but I wasn’t having any luck in finding out what was wrong with his notebook. It appeared to work just fine. I called and asked him if possibly the German beer hadn’t clouded his judgment. He denied any wrongdoing, telling me to look elsewhere using words I’m not about to repeat.

Enough said, I decided to replicate the exact conditions under which the problem occurred, which meant allowing his notebook to access the Internet through my network. I normally don’t like to do that with suspect computers, even on an isolated guest VLAN.

Strange encrypted outgoing traffic

To my surprise, the computer crashed shortly after being connected to the Internet. That’s interesting; I’ve never experienced a situation quite like this before. I decided to see if I could capture enough Ethernet traffic from the notebook to determine what’s going on before it crashes. In my second attempt, I was able to get several hundred packets before the notebook dumped.

I noticed right away that a significant portion of the capture consisted of encrypted packets aimed at one remote IP address. That seemed odd to me. So I used TrustedSource, an IP address/location Web site, and determined that the IP address belonged to a server in Eastern Europe. Oops, all sorts of bells began to go off. I hadn’t even thought about malware possibly causing the crashes, but I can take a hint.

Malware alert

In a 180-degree turnaround, I did all the normal malware checks, especially making sure that the operating system (Windows XP Pro) and AV signatures were up to date. I ran some scans and didn’t get any hits. Having been down this path numerous times, I was all set to reformat and reload, might as well just get it over with.

Being the ultimate in considerate, I called my friend and told him of my findings and possible bad news. He didn’t appear to be in a rush for his notebook, mumbling something about mine working better than his. Actually, I was glad to hear that, because it took the pressure off and I really wanted to figure this out.

Give GMER a try
I loaded GMER, my favorite scanner. Surprisingly it got right to the problem, as shown in Figure A.

Figure A

It didn’t look good “sector 00:MBR rootkit detected.” That’s an immediate reformat/reload in my world. Still I was excited because this would be my first opportunity with this sort of malware. I started searching the Internet for information about MBR rootkits. What I learned was a bit scary needless to say. It appears putting MBR rootkit together with encrypted traffic gets you the Sinowal trojan.

I also learned that RSA FraudAction Research Lab has been following the Sinowal trojan for over three years, compiling some really interesting data about it:

“We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.”

How the Sinowal loader works

Sinowal uses the normal methods to gain access to the computer being attacked. Initially most infections were via e-mail links, but it now appears that drive-by droppers, such as NeoSploit on malicious Web sites, are the attack vector of choice.

Interestingly, Sinowal is selective about geographical location and incorporates an IP versus location application to focus on specific areas, and guess what, Germany is one such area. It’s starting to make sense now. The way Sinowal gains a foothold on the computer is nothing short of ingenious and most likely why it’s been able to survive for so long.

After the initial infection, the loader remains dormant for a certain length of time. I’ve heard that it’s around six minutes, and the sole purpose of this is to fake out malware scanners. The scanners typically try the executable in a sandbox and see what happens. Since Sinowal doesn’t do anything, the scanner is fooled.

Sinowal is also considered a Bootkit, meaning it overwrites the master boot record (MBR), allowing it to bypass Windows system functions. The following installation steps are the results of researchers reverse engineering one variant of Sinowal:

  1. First Sinowal reads the MBR and copies the partition table.
  2. Sinowal has its own MBR and incorporates the copied partition table into it.
  3. Now the sneaky part, Sinowal appends the original MBR into the last sector of the new MBR it created.
  4. Sinowal then writes the newly created MBR to disk.
  5. Next Sinowal waits. Like all MBR rootkits, the loader was able to alter only the MBR, and a reboot is required to start Sinowal’s payload boot sequence.

The payload boot sequence is an intense process. If you’re interested, the details are expertly explained by Peter Kleissner in his white paper “Analysis of Sinowal.” The reason for the complexity is that ultimately Sinowal will have full control over Window’s boot sequence on the infected computer.

What’s really amazing is the boot sequence takeover is done without any additional malware running on the system. At first I didn’t see the significance of this, but the report “MBR/Mebroot/Sinowal/Torpig Is Back — Better than Ever” by TrustDefender Labs explains why this approach is devious and important to Sinowal’s survival:

“How can Mebroot/Sinowal do their dirty work without a malicious component? Well, because Sinowal controls the boot sequence, it can inject the malicious code into legitimate Windows Components. It will hook key functions that the Internet Explorer will use to do its day-to-day job like sending and receiving encrypted data. Yes, you are right. Mebroot/Sinowal does have full control over the encrypted data stream as it has access to it before it will be encrypted and after it has been decrypted.”

The reason this report interested me was the mention of encrypted traffic. That must be what I was seeing when I was trapping packets from my friend’s computer. Now that Sinowal is loaded and situated on the victim computer, let’s take a look at why it went through all this effort.

The real job of Sinowal

If you remember, I said that Sinowal’s whole reason for being is to steal identities and money. Also remember in the TrustDefender article where it says that Sinowal can completely take over the Internet session, well that’s where the problem starts. Let’s follow the steps of a phishing attack that could’ve happened to me if I had continued to use my friend’s notebook:

  1. I decide to go to my bank’s portal, logging on with my personal credentials.
  2. Depending on which Sinowal variant is used, Sinowal now has my personal information or it could ask me for more information by injecting additional HTML code into the bank’s Web pages that the browser is displaying.
  3. At predetermined intervals, Sinowal encrypts the captured data and sends it to command and control servers that have been preprogrammed into the malware, and we all know what happens next.

Significance of all this

I’ve been writing a lot lately about the various methods that attackers are using to steal personal and financial information. The common threads for all the attack venues I discussed are redirection and deception. Using Kaminsky’s bug or the DNS Changer trojan allows attackers to redirect your Web browser to a malicious Web site. After the redirection, the attacker has two options. One, hope that the user will not notice HTTPS isn’t set. Or two, the attacker sets up a forged SSL certificate exchange with a malicious Web server.

It’s a complicated process that is good for us users, with many pieces needing to fall in place in order for the exploit to work. Sinowal avoids all the complexity, since there’s no need for redirection and Web-site deception. The exploit is sitting on the computer. The banking Web site is the correct one and the SSL certificate isn’t forged, so the user is totally unaware of any wrongdoing.

Sinowal’s longevity

The title of this article mentions that Sinowal has been around for over three years now. One would think that the security analysts and AV companies would have this under control. Well, they originally thought so too. If you check out the following graph (courtesy of RSA), it looked like Sinowal was getting eradicated in the first part of 2008:

So what created the resurgence? RSA in the article “One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts” explains that:

“Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006. And in addition to its longevity, Sinowal has also been evolving at a dramatic pace — its rate of attacks spiked upwards from March through September of this year.

The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers. This diagram (see below) shows the rate at which the creators of the Sinowal Trojan have been creating new variants.”

Final thoughts

Sinowal is considered by security experts to be the most insidious and sophisticated piece of malware ever created. It hides below the operating systems, controls applications, and morphs all the time. If you ask AV companies, they will tell you that their applications detect and remove Sinowal. That’s all well and good, but which variant are they referring to.

I successfully located Sinowal with GMER, but I know others that haven’t been that lucky. I also have heard good things about TrustDefender Labs and their applications being able to nullify Sinowal. Other than that, there’s little available to defend against MBR rootkits such as Sinowal. Not wanting to take a chance, I ended up reformatting and reloading the operating system on my friend’s computer.

Depending on your point of view, the fact that Sinowal works only on MS operating systems could be a good or a bad thing. Also one point in favor of MS Vista is that it’s immune to MBR rootkit attacks. Maybe it’s time to switch to Vista or get MS to hurry up with Windows 7.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!