Page last updated at 13:15 GMT, Friday, 31 October 2008

Trojan virus steals banking info

By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

Computer keyboard
Sinowal infects victims' computers without leaving any trace

The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crimeware ever created".

The Sinowal trojan has been tracked by RSA, which helps to secure networks in Fortune 500 companies.

RSA said the trojan virus has infected computers all over the planet.

"The effect has been really global with over 2000 domains compromised," said Sean Brady of RSA's security division.

He told the BBC: "This is a serious incident on a very noticeable scale and we have seen an increase in the number of trojans and their variants, particularly in the States and Canada."

The RSA's Fraud Action Research Lab said it first detected the Windows Sinowal trojan in Feb 2006.

Since then, Mr Brady said, more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.

Security companies recommend that PC owners keep anti-virus programs up to date and regularly scan their machine for malicious software.

The lab said no Russian accounts were hit by Sinowal.

"Drive-by downloads"

RSA described Sinowal as "one of the most serious threats to anyone with an internet connection" because it works behind the scenes using a common infection method known as "drive-by downloads"."

sinowal trojan graph from rsa lab
Sinowal has been constantly updated with new variants

Users can get infected without knowing if they visit a website that has been booby-trapped with the Sinowal malicious code.

Mr Brady said the worrying aspect about Sinowal, which is also known as Torpig and Mebroot, is that it has been operating for so long.

"One of the key points of interest about this particular trojan is that it has existed for two and a half years quietly collecting information," he said. "Any IT professional will tell you it costs a lot to maintain and to store the information it is gathering.

"The group behind it have made sure to invest in the infrastructure no doubt because the return and the potential return is so great."

RSA's researchers said the trojan's creators periodically release new variants to ensure it stays ahead of detection and maintain "its uninterrupted grip on infected computers."

While RSA's lab has been tracking the trojan since 2006, Mr Brady admitted that they know a lot about its design and infrastructure but little about who is behind Sinowal.

"There is a lot of talk about where it comes from and anecdotal evidence points to Russia and Eastern Europe. Historically there have been connections with an online gang connected to the Russian Business Network but in reality no one knows for sure."

That he said is because the group is able to use the web to cloak its identity.


In April 2007, researchers at Google discovered hundreds of thousands of web pages that initiated drive-by downloads. It estimated that one in ten of the 4.5 million pages it analysed were suspect.

Sophos researchers reported in 2008 it was finding more than 6,000 newly infected web pages every day, or about one every 14 seconds.

Debit card and cash
Since May, Sinowal has compromised over 100,000 online bank accounts

RSA's fraud action team said it noticed a spike in attacks from March through to September this year.

That is backed up by another online security company called Fortinet. It said from July 2008 to September 2008 the number of reported attacks rose from 10m to 30m. This included trojans, viruses, malware, phishing and mass mailings.

"The explosion in the number of attacks is alarming," said Derek Manky of Fortinet.

"But trojans are just one of the players in the game wreaking havoc in cyberspace."


While attacks are on the increase, there are some simple steps that users can take to protect their information besides using security software.

"We have a saying here which is 'think before you link,'" said Mr Manky.

"That just means observe where you are going on the web. Be wary of clicking on anything in a high traffic site like social networks.

"A lot of traffic in the eyes of cyber criminals means these sites are a target because to these people more traffic means more money," he said.

sinowal trojan raph from rsa lab
The rate at which Sinowal has been compromising online bank accounts

RSA also urged users to be wary if their bank started asking for different forms of authentication such as a social security number or other details.

"People think not clicking on a pop up or an attachment means they are safe. What people don't realise now is that just visiting a website is good enough to infect them."

RSA said it is co-operating with banks and financial institutions the world over to tell them about Sinowal. It has passed information about the virus to law enforcement agencies.

Print Sponsor

Cybercrime wave sweeping Britain
30 Oct 08 |  Technology
Don't have security nightmares
21 Oct 08 |  Technology
Bank turmoil fuels phishing boom
10 Oct 08 |  Technology
How secure is your card info?
06 Aug 08 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific