500,000+ Banking Passwords Stolen By Sinowal Trojan Horse, So Far

Security researchers uncovered over half a million bank account logins stolen via a sophisticated trojan horse known as Sinowal. The data goes back to 2006, an unusual longevity for a trojan horse. Not mentioned in the news reports: who’s to say this is the only cache? [NYT] (Photo: Darcy McCarty)

Comments

Edit Your Comment

  1. humphrmi says:

    Were the bank account logins stolen from the banks, or via a trojan horse installed on the user’s computer?

    ‘Cause if it’s the latter, I’m safe. On the other hand, the former, I’m EECB’ing my bank tomorrow.

    • SuperJdynamite says:

      @humphrmi: “‘Cause if it’s the latter, I’m safe.”

      Maybe. Trojans have started doing man-in-the-middle attacks so being in relative network proximity to an infected host can cause your SSL transactions to be compromised.

      • ratnerstar says:

        @SuperJdynamite: I’m not sure what you mean by that. SSL provides not only encryption, but authentication as well. The only way for a “trojan” to do a man in the middle attack against an SSL transaction would be if they had acquired the private key of a root CA. If that is the case, then we are in a lot more trouble than this article indicates.

        • FLEB says:

          @ratnerstar: I’ve seen more and more phishing spams from “banks” that are trying to “update your security certificates”. If a phisher can get a bogus root cert in there– I don’t know why it couldn’t be packaged into another pack of malware, even– you would become vulnerable.

          • ratnerstar says:

            @FLEB: Good point. SSL, like all security measures, is useless if you don’t practice due diligence. I’m still not sure what he means by “being in relative network proximity to an infected host can cause your SSL transactions to be compromised” though.

        • SuperJdynamite says:

          @ratnerstar: If you’re on the same subnet (e.g. you put your laptop on a WiFi network with other hosts, like you might at Starbucks) then it’s possible for a compromised host to ARP spoof the gateway which means that everything you send off the subnet will go through the compromised host.

          • pjorg says:

            @SuperJdynamite: I guess that’s true, but if a session is public-key encrypted, then the malicious network node wouldn’t be able to do anything with it without the private key from the destination.

            • SuperJdynamite says:

              @pjorg: … unless the malicious network node served up a cert of its own that looked legit.

              Anyway, I’m not speaking hypothetically here. There are lots of MITM attacks that have been observed in the wild where an infected host hijacked traffic from an ostensibly protected host.

  2. Sure I could agree with you, but then we'd BOTH be wrong. says:

    This is why everybody should be running some kind of Virus scan, and keep their subscriptions updated.

    There are so many choices now, and usually new computers come with one of them (Usually Norton or McAfee) preinstalled with a 3- or 6- month subscription.

    Keep them updated, and they’ll detect these trojans.

    • oldgraygeek says:

      @Dooley: Not always.
      I fix PCs for a living… about half of my new customers come from some sort of malware infestation… and almost all of those customers have an up-to-date virus scanning product installed and working (or did, before the malware broke it).

      The malware guys keep updating their product for a reason: each time they release a new version into the wild, it often has a two- to ten-day head start before the security software companies update their definition files to detect it. In fact, many of the “fake security” products (the ones that scream “YOU HAVE A VIRUS!!! and demand money to remove it) are never detected by the major firms’ products.

      Bottom line: You do need a current anti-virus program, plus all the Windows Updates, a healthy dose of skepticism applied to any unfamiliar Web site, and a quick hand on the network jack in case something starts to download itself despite those precautions.

    • Triborough says:

      @Dooley: Or just use a Mac.

      • Krobar says:

        @Triborough: there’s no hope like false hope, eh? :)

      • Trick says:

        @Triborough:

        On our campus we have 100+ Macs, all running Sophos AV much to our faculties displeasure because they believe Macs don’t get virus’s.

        Yet on any given day as many will have a virus quarantined because our egghead faculty think the same way you do.

        Making matters worse, removing a virus from a Mac is usually more time consuming than a PC.

        • zigziggityzoo says:

          @Trick: The viruses caught by Sophos are almost ALWAYS PC viruses. Macs can download anything, just like PCs. Fortunately for Mac Users, Macs can’t EXECUTE viruses written for PCs.

          To this day, there is no known spreadable virus written for Macs “In the wild.”

          • zigziggityzoo says:

            @Trick: I’ll also append that with a caveat: If you’re still running Office 2004 unpatched (ie, without SP1 on it) on your Mac, you can get what’s known as a Macro Virus that infects your word documents, yet doesn’t really do much of anything. And you have to physically download an infected file (or open from some other infected users Flash drive) to be infected. There’s no automatic transfer happening.

            According to MSFT, this affects less than 1% of their install base.

            In my book, anyone running unpatched software deserves what they get.

        • Joeyjojo says:

          @Trick:

          What are these virii you speak of? Macs don’t have any auto-spreadable virii.

          They’re susceptible to malware due to social engineering or the like, but the base OS is just not the same as Windows. Windows is simply easier to compromise, hence the need for not only virus scanning software, but malware/spyware scanning software, registry monitors, etc.

          • cjnewbs says:

            @Joeyjojo:
            Thats such a load of crap, the reason there are more viruses for Windows is because there are significantly more windows machines. If you were writing a botnet application for example you would not bother to write a mac version because it would be more hassle than its worth trying ti infect a tiny number of machines. I have read so may arguments like this on forums, and youtube, with people making completely misinformed statements. The worst one being the person who posted a message stating that “There are no mac viruses because the processor they use make it impossible for them to execute viruses.”

    • SacraBos says:

      @Dooley: I use Linux and OpenVMS. I’ve tried to run viruses on Linux, and haven’t found one that works yet. OpenVMS, secure even outside the firewall.

  3. dmuth says:

    This is also why it is a good idea to use a different password for EVERY website you access.

  4. ironchef says:

    I recommend using [agilewebsolutions.com]

    It generates some of the most secure passwords and builds AND permanently manages a unique password for each site.

    1Password will also help flag spoofing sites too.

  5. PlasmaMachine says:

    I keep my Common Sense 2.0 updated often. No worries here :P

  6. oldgraygeek says:

    Ben,
    Most of the data up here is merely useful… this is much more important.
    Thanks for being up late to post it.

  7. Triterion says:

    I like how the author of that NYT article used the wrong “You’re”… editor fail!

  8. ShyamaBenkar says:

    I would suggest changing to a bank with dynamic passwords.
    While your login can be sniffed it is quite hard to use a trojan to get hold of your one-time password generated by a token generator on your keychain.

    Static passwords are -not- secure enough to give access to any sort of banking information. There are just too many ways they can be found.

    Sniffed traffic, trojans, keyloggers or even social engineering.

    Change to a bank that offers a token generator and you avoid the whole issue of trojans stealing passwords as the password you use wont be valid in 60 seconds anyway. This blocks the “replay” attacks and requires the cracker to use the password within a minute of you typing it in. Not very likely that they will be able to do that. Not perfect but a hell of a lot better than static passwords.

    As a further example. My bank (Postbanken, Norwegian) requires me to use one token password to log on. Then if I am transfering money to an account which I do not own it requires me to enter another token password which has to be -different- to the one used to log in. Works quite well. There are vulnerabilities but most attempts at cracking fail.

  9. BytheSea says:

    What banks?!

  10. Quatre707 says:

    Chase bank customers don’t have to worry as much, since whenever they log in from a different computer, a second layer of authentication is prompted via a code received via email, text message, or phone call.

  11. NYGuy1976 says:

    Most banks require extra verification for adding new payees or when transferring money to external accounts already. I wouldn’t be too crazy worried if someone could get a hold of transaction info to see where I used my ATM. If you use paper checks I would be much more worried about fake checks being presented against your account.

  12. ELC says:

    Ah, the joy of using Macintosh. I’ll wave at you all as you scramble to see if you’ve lost money.

    • arl84 says:

      @ELC:

      Savor the flavor. If macs keep getting popular, it’s only a matter of time before someone figures out how to put viruses on them, too.