Category Archives: Threat info

Sinowal analysis of RSA Lab

September 11, 2009   mkwingzero   No comments

The RSA FraudAction Research Lab would like to share its startling findings based on its tracking and research of the Sinowal Trojan, also known as Torpig and Mebroot. Our findings based on the data we have collected on this Trojan over the course of almost three years – including information regarding its design and its infrastructure – indicate that this may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.

We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. There is generally more known about the sources of other Trojans. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN.

So, why is Sinowal one of the most serious threats to anyone with an Internet connection? Simply put, Sinowal infects victims’ computers without even an inkling of a trace. The criminals behind Sinowal have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years. In addition, the stolen data has been methodically organized within a well-organized repository. Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan.

Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006. And in addition to its longevity, Sinowal has also been evolving at a dramatic pace – its rate of attacks spiked upwards from March through September of this year.

Read More

Avira Analystic Risk Level

August 06, 2009   mkwingzero   No comments
The Risk Level describes the current phishing- and malware threats that avira’s receive in real time from avira’s sources in Internet. These threats are valid and can be accessed by any user in the Internet. The levels are computed by comparing the amount of threats (malware and phishing separately) received in the last 24 h (called 24h threat value) to the average value from the last 30 days (called average threat value). These levels are computed every 15 minutes.
This is how the graphs with the values per day for the last 30 days looks like: The graph with the values per hour for the last 24h:
Description Graphs Above:
Level 1 – Normal (Green)

Risk: Low – there is much less activity than the average avira’s develop have seen in the last 30 days. This condition corresponds to no discernible malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings.

Level 2 – Average (Yellow-Green)

Risk: Low to Moderate – there is relatively less activity than the average avira’s team have seen in the last 30 days. This condition corresponds to some malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings. This risk level is usually “the calm before the storm”, so we advise avira’s customers to keep an eye on our website for information and updates.

Read More
eXTReMe Tracker
.