# Sinowal Trojan - How to detect it



## Mountainman1863 (Dec 23, 2007)

This is a bad one, very recently reported, and for which there are no easy removal techniqies yet, unless you believe reformatting your drive isn't too bad. It rests in the MBR (master boot record) of your boot drive until it is called upon by your 'securely' connecting with one of the programmed financial sites. Then it installs false text blocks requesting sensitive info, and once you've entered that (it's your bank, your account, and the yellow lock shows, right?), guess who its sends that data to? Not to your account. Further, it morphs into new signatures, I believe, possibly automatically or on interrogation by the perpetrators. Reportedly only a few antivirus programs can detect it and none can remove it. I got all this info from several sites reporting it last night. 

I'd suppose many organizations are working on detection and removal techniques. Anyone here have some insight into what can be done now?


----------



## Mountainman1863 (Dec 23, 2007)

Also called Torpig. Too dangerous NOt to know if you have it or are free of it. Hence, my post.


----------



## Mountainman1863 (Dec 23, 2007)

A little more about how it works from this link ..... http://www.youtube.com/watch?v=YTAtvUnXNrU


----------



## tetonbob (Jan 10, 2005)

This is not that new. What's new is the widespread reporting, based on a recent find of logged information. 

http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/

http://www.rsa.com/blog/blog_entry.aspx?id=1378

Many AntiVirus can identify this threat (droppers of the rootkit component), even if they can't all fix it.

Sinowal is also known as MBR rootkit

http://www.google.com/search?q=MBR rootkit

or mebroot

http://www.google.com/search?q=mebroot

It takes a dedicated rootkit scan to see this, and often takes dedicated tools to fix.


http://www.techsupportforum.com/f112/if-you-think-your-computer-is-infected-203704.html


----------



## Mountainman1863 (Dec 23, 2007)

Thanks. I know it has been around since 2006, but I know I need to see if it is here.


----------



## Chr1$ (Nov 11, 2008)

Mountainman1863 said:


> This is a bad one, very recently reported, and for which there are no easy removal techniqies yet, unless you believe reformatting your drive isn't too bad. It rests in the MBR (master boot record) of your boot drive until it is called upon by your 'securely' connecting with one of the programmed financial sites. Then it installs false text blocks requesting sensitive info, and once you've entered that (it's your bank, your account, and the yellow lock shows, right?), guess who its sends that data to? Not to your account. Further, it morphs into new signatures, I believe, possibly automatically or on interrogation by the perpetrators. Reportedly only a few antivirus programs can detect it and none can remove it. I got all this info from several sites reporting it last night.
> 
> I'd suppose many organizations are working on detection and removal techniques. Anyone here have some insight into what can be done now?


Theres hundreds of types of trojans like that out there. And newer ones being released. 

And btw it's not the trojan itself, that remains undetectable, but techniques attackers use to bypass personal security. Like Packers/crypters/ or polymorphic engines. 

Packers, and crypters can encrypt servers, from being detected. POLY'a can make trojans stealthy, and keep them undetected longer, by constantly encrypting code, functions. 

Recommendation a good firewall ? but... firewalls can be easily bypassed by Process injection techniques(like DLL injection) fooling FW on thinking the application is safe to run. 


The truth is no security is safe now a days. Not even virtual VM workstations or emulators. They can be bypassed. A lot of packers have a anti sandboxie functions now a days. And many vulnerabilities to bypass other emulators as well. 

Best level of security is Common Sence.


----------



## Mountainman1863 (Dec 23, 2007)

I recommend a good hardware and an up-to-date software firewall (bi-directional) and antivirus and anti-malware protection, along with windows and most other software, all kept up to date. And being very careful of just what info you are giving to whom. Crooks can buy SSL servers too.

The article stated that not many software pkgs detect and none remove the sinowal/torpig, once you've gotten it, that and its 'success' being the main differences.


----------



## Chr1$ (Nov 11, 2008)

Hardware wouldn't provide much help. Firewalls are easy to bypass even the latest, and anti virus's as well. 

Just use common sence and don't get infected lol.


----------

