MBR Trojan Approaching the 3-Year Mark 165
bl8n8r writes "Still going strong since February 2006, the 'Sinowal' Master Boot Record infector (also called 'Torpig' and 'Mebroot' by various anti-virus companies) has compromised more than half a million financial accounts. An HTML injection engine adds fields to login pages to compromise credentials. Injection is triggered by the Web addresses — more than 2,700 bank and e-commerce sites are hard-coded into the malware. 'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.' The majority of anti-virus and anti-malware scanners do not detect this threat."
dupe (Score:2, Informative)
Re:dupe (Score:5, Insightful)
There is another reason for not really needing to comment: Slashdot needs a special tag for stories that include this implicitly or by implication. That information is:
The majority of anti-virus and anti-malware scanners do not detect this threat.
For such stories, we need to call bullshit and throw spam like emails at the majority of anti-virus company's email servers.
It's one thing to say you are selling really nice tasting lemonade that helps your body fight disease by assisting your body with vitamin C. It's another to say you don't need to take anything else to help your body by our lemonade. That is the trouble with non-F/OSS software; they claim to have the answers. This is no better than selling snake oil IMO when you consider the condition of many if not most home users PC systems.
There are many times in the USA when the fucking cure is worse than the disease. Antivirus companies are part of that 'issue'
Re:dupe (Score:5, Interesting)
Actually, it's correct. With rootkits, the rootkit inserts itself into the processes of the operating system as it loads. If the AV attempts to read the boot block, it feeds the AV the boot block that it saved when it installs itself. It excludes itself from the process listing. It prevents access to memory where its functions are stored. It really is bulletproof.
With a bug like this one you usually have to boot to some other media (usually read-only) and run a scan against the disk without using the compromised operating system. In short, they're a pain in the butt.
Re:dupe (Score:5, Insightful)
You know that part on the label on cold medicines that says not to operate heavy machinery? When you buy an antivirus software package, are there any warning labels? Nope. This is what leads to my complaint. There are large numbers of people that think their original one year license for Symantec et al is good enough for the life of the PC, and nobody is telling them any different. Nor is anyone telling them that what they got for free with the PC will not keep up with malware, and that they are going to have to keep paying and paying if they want to use that program. This is a large portion of why Windows machines are so vulnerable. Even though Windows fanbois like to claim that Linux is for advanced users and not average users, those same users are making Windows a target for virus writers. The other portion is the vast security holes left in Windows production software.
Antivirus companies and MS will NEVER make Windows safe for two reasons: Nobody really wants to pay a yearly subscription and the people they sell to have NO FUCKING CLUE how to keep their machine(s) safe. You and I might know how to get rid of a MBR virus, but aunt bettie doesn't, and won't without a lot of training. FerChrisSakes, you first have to explain what a boot record is. Does training come with a Windows license? Do you need to pass a state level exam to operate a PC? nope. The problem will persist and will not get any better until antivirus companies start trying to educate. It will not get any better till your average Windows users understands that they have to work hard to administer their system to avoid infections and malware.
Without education, the problem will continue... ad infinitum!
That's why I think there should be a tag for it
Re: (Score:2)
Buy anything from China? Just curious.
Re: (Score:2)
Taking the warning labels off everything doesn't work in this instance, as them getting infected results in other people's stuff getting screwed up (DoS'd servers, etc.).
Re: (Score:1, Insightful)
Are tags and labels not a form of education?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
I hear that DR-DOS and Linux are pretty cheap these days.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Cute. You had a root kit. It had total control of your operating system for an indeterminate period of time. During that time it could download any software from the internet it wanted, and use it to patch any operating system or application file it liked - or all of them.
But you can fix it "sure fire" by using FIXMBR. That will restore the boot block and all will be well again!
Please don't give any more computer advice until you've been detarded.
Re: (Score:2)
Now, at the foot of this thread, I'll repost what I said that offended you:
Cute. You had a root kit. It had total control of your operating system for an indeterminate period of time. During that time it could download any software from the internet it wanted, and use it to patch any operating system or application file it liked - or all of them.
But you can fix it "sure fire" by using FIXMBR. That will restore the boot block and all will be well again!
Please don't give any more computer advice until you've been detarded.
I meant it then and I mean it still. Please don't try to give advice about things you don't understand. Please don't try to justify yourself. You're just making it more and more obvious that you're an idiot.
"the majority" (Score:2)
Doesn't mean all, so i don't see a problem with him using that statement.
Its all about how you define majority.. 51%? 60%? 90%?
Get you're birthday hats ready (Score:2)
It's quickly approaching! The very important 3 year mark is only 3... months... away...
The majority of anti-virus/anti-malware? (Score:5, Informative)
Wow. ClamAV and AVG both detect Sinowal. Both are free as in beer and ClamAV is free as in speech.
Re: (Score:1, Interesting)
only avg did.
http://www.virustotal.com/analisis/e124e55a8ac21d5898e5181c4a82c543
clamav did NOT detect it (Score:4, Informative)
read the story again, it links to virustools, which lists the 10 out of 35 vendors that made the detection. antivir did (mine, phew)
Re: (Score:1)
yep. They're using 0.93.1 and the latest stable is 0.94.
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
According to the chart, ClamAV didn't.
Re: (Score:2)
Forgot the link to the chart [virustotal.com]
What efforts are being made to find the operators? (Score:5, Insightful)
Since this thing is understood, it's possible to inject phony credit card numbers into the attack. If law enforcement and a bank worked together on this, they could inject flagged credit card numbers and watch where they were used, then make some arrests. For that matter, a denial of service attack could be made against the attacker by injecting huge numbers of bogus credit card numbers, the use of any of which triggered law enforcement attention.
Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area. This is what FBI Baltimore should be doing, instead of sending out child porno and seeing who bites.
Re: (Score:2, Interesting)
Re: (Score:2)
All of you guys who talk about anonymity and encryption... wouldn't the people who made such a virus be smart enough to use it?
I mean, what are they going to say? "I got the info from saltyballs6669@yahoo.com.
Trace the IPs? Libraries (as in books), Internet Cafes, distribution via Zombie Computers. How long would it take for the FBI to break down some poor old lady's front door because her comp was a zombie?
Really, I think it would be pretty impossible in a situation like this. I mean, how often are virus a
Re: (Score:2)
...they could try to them to turn states evidence if they had any info that would lead back up the chain.
You think that the guys who came up with this MBR virus might possibly be clever enough to not sell the CC#'s from their personal email account?
Re: (Score:2)
Sure, Bush will be gone, but that doesn't mean you'll get any decent management (if that isn't an oxymoron).
I won't go as far as to say that shit floats to the top (OK, maybe I will) but where else are you going to put all those unskilled workers other than management?
Re: (Score:3, Interesting)
That's cute. Their system employs double blind methods for getting your money from your account to their account, and they have infinite scale. Billions of phony accounts would not slow them down and would not impede their activity in the slightest.
There are strategies that could be employed, but neither candidate is clueful enough to find someone who knows what they are. The government is not going to descend from on high and make the Internet a nice technocolor paradise. It's rough out here. Fend fo
Re:What efforts are being made to find the operato (Score:5, Interesting)
The problem isn't our ability to detect and identify the criminals.
Our problem is convincing Russia and China to help us. Why would either be motivated to?
Quite frankly, maybe I'm being an ignoramus, but the international community should create internet blockades around nations that don't play nice.
Re: (Score:2, Interesting)
FTA:
While the Sinowal authors no longer use RBN as a home base, Brady said his team could find no trace of a single Russian victim in the entire database of credentials and identities stolen from customers of hundreds of banks across the United States, Europe and Asia, and at least 27 other countries.
These guys aren't shitting where they eat, so why would the Russians have any incentive to cooperate?
Re: (Score:3, Insightful)
While I agree, I would hope other nations uphold lawful behavior as a virtue, these men are still breaking Russian laws.
But it's the essence of corruption. We cannot expect Russia to help us. We cannot expect China to help us. So, why do we let them peddle their packets in our networks? That might motivate them, but it will definitely reduce the security risks we face.
Re: (Score:2)
I'm not talking packet filters. I'm talking fully isolate nations.
Re: (Score:2)
Not a single Russian victim? Bullshit. How does a program know your nationality? It *may* be working on a certain range of IP addresses excluding Russia or target services which are seldom used by Russians, but claiming that there is not a single Russian victim is just ridiculous.
Re: (Score:2)
Of course, the difficultly is in defining exactly what "not playing nice" is.
Re: (Score:2, Funny)
Yes, you're being an ignoramus. That's ok. It was your turn. Last week was my turn.
The depth of my ignorance can be measured by the length of time I've been aghast at the carelessness and clue deficit of software engineers, system designers, corporate and government IT staff. We're over a quarter century now, so I must be really, really dumb.
Fortunately for me, in that I'm at least not unique.
Re: (Score:2)
Censoring is filtering. I'm suggesting full blocks around countries. You're talking a Brita filter, I'm talking a cork. This is an important distinction.
Re: (Score:2)
We already control who can or cannot be on the internet. Usually going as far as even restricting computer use of computer criminals.
If by one person or group, you mean an entire international community, you should get your head checked.
Re: (Score:3, Informative)
Re: (Score:2)
Who says the people grabbing the card numbers are the ones who eventually use them? The guys controlling the virus probably just sell them en masse to someone else.
What's your point? They're still criminals. Arresting either the people who write the trojan, or the people controlling the trojan, or the people using the credit card numbers is still better than doing nothing.
Rich.
Re: (Score:3, Informative)
Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area.
Yeah, because I'm sure that the priority of every president is credit card fraud.
I know that it's popular to blame Bush for all the ills of the world, but it is short sighted and unrealistic. If you want to bash him over things for which he is truly responsible, feel free. There's lots of material. Blaming him for this, though, is just lame.
Re: (Score:3, Insightful)
I know that it's popular to blame Bush for all the ills of the world, but it is short sighted and unrealistic. If you want to bash him over things for which he is truly responsible, feel free. There's lots of material. Blaming him for this, though, is just lame.
One can certainly blame bush for focusing way too many resources on his war on terror and thus away from actual crimes like this one. Besides, nobody was "blaming him for this" they were blaming bush for not doing anything about this.
Re: (Score:1)
Re: (Score:2)
Its not the morons that own PCs that are the problem, it is Bill Gates and the US Government
The hours wasted dealing with viruses add up to far more lifetimes than are lost as a result of Al Quaida actions. Yes folks its t
The majority of anti-virus scanners... (Score:1)
...suddenly do!
No surprise (Score:5, Insightful)
'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.'
Yet people still look at me like I'm a cave man when I refuse to do online banking...
Re: (Score:1)
If this doesn't seal your confidence, remember that this is only one of millions of Windows malware systems feeding into a fully evolved malware ecosystem. It's a wonder anybody has money in their account at all. It's a wonder every person's credit isn't compromised. Certainly enough personal data has been lost to compromise everybody but the Amish.
Re: (Score:2)
Re: (Score:2)
The difference is that there is much more incentive for organized crime to develop trojans that can amass credentials to hundreds of thousands of accounts than there is in trying to intercept a check. Card skimming is a bigger problem and even that is difficult due to the likelihood of getting caught once the fraud detection is set off and they track down the source. The scope of what can be accomplished through fraud on the internet is much greater and therefore the risk is higher.
Re:No surprise (Score:5, Interesting)
You are a caveman if your bank belongs in the stone age and you don't switch to another.
Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.
I was shocked when I learned a lot of banks actually don't use such a system. It became apparent to me when a lot of people piped up about the World of Warcraft token based login by saying "now WoW has better security than my bank". What the... How are those banks permitted to handle money at all with such lax security routines?
Re: (Score:3, Informative)
A buddy of mine works for a company that designs software for use in police cruisers and the stations. They can also cross-reference data between other systems.
To access the master server where all of the cross-referenced data is aggregated, you need one of those tokens. For the uninformed, it's a small device about the size of a flash drive with a constantly rotating number that is in sync with an encryption scheme on the server. It rotates every 30-60 seconds as I recall.
If it's good enough to secure the
Re: (Score:3, Insightful)
If it's good enough to secure the loads of personal information that's sure to be contained in said records, than why don't our banks employ such a system?
Oh that's an easy one. Banks don't do that because they reckon it is cheaper to reimburse people for the actions of fraudsters after the fact. It a sad day when doing the obviously fair and right thing is rejected on cost grounds; obviously the value of being honest is underrated by banks. I just so wish I was surprised.
Re: (Score:2, Interesting)
Actually, if one bank started using token-based, then all the other banks would be in the embarassing position of haveing to explain why they didn't. And the token bank would have to explain why they finally did. Banks do not like to talk about security and crime, because they are so weak. They do not want anybody thinking about banks and security and crime because some of those thinking people might start questioning bank security and crime.
A very long time ago I dated a girl who was a bank teller at a dri
Re: (Score:1)
I've seen comments on /. that indicate that *some* banks *are* handing out authentication tokens.
This teller... was she a fun lay?
Re: (Score:2)
....because they reckon it is cheaper to reimburse people for the actions of fraudsters after the fact...
It is probably true that at least so far, the losses are smaller than the costs of better security would be. A customer who lost or misplaced their token would soon find out that his neighbors bank did not have such a hassle and switch to that bank that only had a simple password. People do lose their keys to cars and houses and will resist to having to carry another key they could lose. There always wil
Re: (Score:2)
why don't our banks employ such a system?
The US seems to be lagging way behind when it comes to technology in banking. I'm in my mid 30s and I've never had a checkbook. In the US that's still widely used, apparently. Some years back a friend of mine took a job for a few years in the US and got his pay literally via physical check. That's unheard of.
As far as security is concerned, I couldn't name a single bank that don't use tokens for online access, yet that too seems very common in the US.
It is slowly changing (Score:1)
Well the check part is anyway. The only time I write a check is to family members that can't be bothered with electronic transactions. I sometimes get checks for holiday gifts of money as well. Other then that, the checkbook sits and collects dust. Most of my transactions are cash (for small amounts) and credit/debit.
Whats interesting is that my particular credit card simply doesn't offer RFID or Smartcard functions even though the same issuing bank offers cards with the functions. I literally would have to
Re: (Score:2)
The only time I write a check is to family members that can't be bothered with electronic transactions.
That illustrates it nicely. Reality here is the exact opposite. Electronic transaction is done in less time than digging out a checkbook would, and transfer is virtually instant. Punch in account number, amount, security token and you're done.
I suspect there's a lack of a centralized system in the US. If every bank would need to interface directly with every other bank to perform a transaction, I can see how it would be both costly and time consuming.
Re: (Score:2)
We're lagging behind in many if not most other technological fields as well.
Our cellular networks frankly suck and so do the plans they offer us.
Our telephone infrastructure is still bad enough that there are semi-populated areas in which there is no telephone service at all
Our broadband proliferation is very nearly the worst in the developed world.
Voting machines are still a new thing to us, and rather than use the ones provided by companies outside the US who have been supplying more technologically advan
Re: (Score:2)
Re: (Score:2)
Does the calculation happen on the card itself or in the reader? This is, IMO, particularly important if you want to use your card anywhere but your home and the bank's branch offices.
Re: (Score:2)
Re: (Score:1)
Heh. They've changed the headers:
X-Leela: There's a political debate on. Quick, change the channel!
Someone had to do it (Score:1)
Re: (Score:2, Funny)
You mean to say that this three year old Trojan ONLY affects machine running the Windows Operating System.
I'm shocked, shocked, I say!
"Botnets, spammers botnets!
What kind of boxes make up botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even ASUS, too!
Are boxes, found on botnets, all running Windows. FOO!"
Re: (Score:1)
Re: (Score:1)
No offense taken whatsoever!
My little ditty was, in its own way, a similar response as your own.
Not there wasn't more than a metric tonne of grains of truth to either, mind you.
whiskey and slashdot... (Score:5, Funny)
I just saw this line in the article about a three year old Trojan and I thought, man wouldn't that thing get kinda full at some point?
Re: (Score:2)
Nah, it's in a wallet.
Re: (Score:2)
They expire after a couple of years. Really should toss that one and get another.
Re: (Score:2)
Re: (Score:2)
Hope.
Re: (Score:2)
I just saw this line in the article about a three year old Trojan and I thought, man wouldn't that thing get kinda full at some point?
You are not the average /.er. The average /.er hears a woman mention Trojans and instinctively tells her that he can fix it.
we need an antivirus vendor (Score:3, Interesting)
that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd
90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor
of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)
Re:we need an antivirus vendor (Score:4, Informative)
that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd
90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor
of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)
Why not simply boot into a live CD whenever you want to do online banking or other such sensitive tasks if you're that paranoid? Nearly all allow for writing to the hard drive, so it's not a problem to save any data you want around after the task is completed like online statements, etc. If you're really paranoid, use Anonym.OS put together by Kaos.Theory Security Research and based on OpenBSD with hard encryption and use of TOR as defaults?
Download here: http://sourceforge.net/projects/anonym-os/ [sourceforge.net]
More information: http://kaos.to/cms/projects/releases/anonym.os-livecd.html [kaos.to]
Cheers!
Strat
Re: (Score:2)
Wouldn't it suck if your virus noticed these downloads and "added" itself to the boot loader part of every bootable ISO you -burned-? :)
Why, if one is that paranoid, would you even think of downloading and burning it on a machine suspected of being infected? Besides, it's trivial to check .iso-image MD5 hashes to assure that the .iso is uncorrupted on another known-clean machine.
Cheers!
Strat
Re: (Score:2)
If you have another known-clean machine, then why not download and burn on there? Since a MD5 check could be intercepted by the virus too on a contaminated machine, I'm still trying to figure out if you could verify the bootable CD was clean given only infected or possibly infected computers to work with.
Re: (Score:2)
If you have another known-clean machine, then why not download and burn on there? Since a MD5 check could be intercepted by the virus too on a contaminated machine, I'm still trying to figure out if you could verify the bootable CD was clean given only infected or possibly infected computers to work with.
There comes a point where you 'what-if' yourself to a standstill. The MBR virus only has so much capability. If you assign it unlimited intelligence and power the only safe move is not to play, to steal a m
Ok, but only because you asked. (Score:1)
The cure is here. [ubuntu.com]
It might take a little getting used to, but not as much as Vista. In the end I think you'll like it. Updates are twice a year rather than monthly but that seems to be frequent enough because the system has vulnerabilities less often, and you can't infect a CDROM anyway.
The good news is that if you like the LiveCD version you can remove your hard drive and its risks altogether. You can even save your settings, preferences and files to a pen drive, SDHC chip or network share if you like
Re: (Score:2)
You can just boot it off an external USB drive and update it as you would a normal install. But if you're going to do that routinely, you may as well just dual boot.
Re: (Score:1)
Dual boot is for people with commitment issues. It's not worth the hassle, nor the Doubt of knowing if the second install is going to hash the first. If you need both, buy another PC or install one in a VM. It's not like a good Linux box costs more than $220 [zareason.com] and virtualbox is free [virtualbox.org].
But pen boot is cool. The version of Ubuntu that does it is only a couple days old. I haven't tried it yet. Maybe tomorrow. I'm pretty hot about it. I pen boot Clonezilla at work a couple hundred times a day. It's slick.
Re: (Score:2)
Dual boot is for people with commitment issues.
Commitment issues? Excuse me?
Please point me towards the OS that does everything excellently without compromise.
It doesn't exist, which is why a lot of people Dual Boot. If it weren't for the fact that I were such a hardcore gamer I'd probably be using Ubuntu over XP. And please, save yourselves the trouble of bringing up WINE, because someone will inevitably retort that WINE isn't perfect and many games run poorly, at lower FPS, and possibly with a myriad of other problems.
I love the idea behind Linux, but
Re: (Score:1)
I love the idea behind Linux, but it won't be accepted by a large majority of people until it can do some of the most common tasks (Photoshop, more than a few PCs games, run legacy or odd software) without having to run an emulator that won't work perfectly.
And a pony. It has to come with a pony.
Such product exists (Score:2)
http://www.freedrweb.com/livecd [freedrweb.com]
AFAIK it's a linux livecd with drweb antivirus installed. I have not used it myself, though.
ClamAV Live CD (Score:1, Interesting)
See also Knoppix [knoppix.net] (and most other linux distributions with a live CD .iso).
Re: (Score:2)
Bitdefender used to have something like this called linuxdefender, though all indications point to it having been discontinued.
Re: (Score:2)
Re: (Score:2)
Kaspersky Boot CD, daily build:
http://dnl-eu3.kaspersky-labs.com/devbuilds/RescueDisk/ [kaspersky-labs.com]
(although it seems dated from 15th of October)
Nothing but Admiration (Score:2)
As a programmer I have to point out that the programming required to make this trojan that fits in less then 512bytes of MBR space could not be matched by most "programmers".
Props to those guys. Capitalism unregulated. ;)
Re: (Score:2)
meh (Score:2, Interesting)
For this kind of work 512 bytes is huge. You have the resources of the BIOS, and you have to find one block: the block where the rest of your code begins. You have to load it and execute it. You're allowed to write the CHS address of this block in your boot block because the OS is never going to see it.
I doubt it takes even 50 bytes to do that. On the original PC I could do it in 30.
Re: (Score:2)
Virustotal: ZoneAlarm (Score:1)
Malware? (Score:1)
This whole "malware" thing sounds exciting! How can I get it? I'm running Ubuntu 8.10.
Able to watch from the sidelines (Score:2)
From the article: ...designed to steal data from Microsoft Windows PCs.
That's the best thing about using Linux. When these sort of exploits roll through the computer world you can watch with amused interest instead of a knot in your stomach.
I don't laugh too loud because I think about all the places that might be storing my credit card number on a Windows box. It's been rare that I've ever accessed any of my bank or investment accounts from a Windows client and never in the last four years.
Again, I
Where's the link? (Score:1)
Providing an MBR... (Score:1)
How about antivirus companies providing MBRs with their software that worked in a similar fashion to rootkits like this? It would be very difficult if not impossible to write a virus targeting multiple antivirus software that could coexist with the MBR already in place by the said software!
Antivirus software X could install its own MBR that did the same, load it with the operating system, restrict memory access to it's functions, fake the original boot record etc, but it could be programmed to allow X, and