Trojan Sinowal

Recently we did some research about the Trojan Sinowal (also known as Torpig). These days it is one of the most famous and common malware variants with the main objective to steel bank account information. A big difference to other Trojans is that the main infection is made into the MBR – thus making it more difficult for AV’s to detect it. More information about the history and the way of infection can be found at the GMER website.

The main purpose is to steal bank account information in a professional manner. The config file which can be found in ‘c:windowstemp’ showed that more than 1000 banks are affected.

Recent versions of the Sinowal Trojan hook functions in advapi32.dll, wininet.dll and crypt32.dll used by the Internet Explorer. Thus external code can be injected into the web content which is then presented to the user. In general the Sinowal Trojan checks for the requested pages in the browser, and depending on a match (e.g. a URL of a bank defined in the config) it loads additional content to inject from its own malware servers. The communication with these servers is made with encrypted POST/GET request to receive the content to inject. The collected and stolen account information is sent using SSL.

In order to find its servers the malware requests domain names based on a special algorithm. Thus an infected machine requests different domain names to find a host which is alive and can provide the requested data.

For a fast check and for disinfection of the Sinowal Trojan also GMER can be used.

Clemens Kurtenbach
S21sec labs