Trojan Sinowal

The main purpose is to steal bank account information in a professional manner. The config file which can be found in ‘c:windowstemp’ showed that more than 1000 banks are affected.
Recent versions of the Sinowal Trojan hook functions in advapi32.dll, wininet.dll and crypt32.dll used by the Internet Explorer. Thus external code can be injected into the web content which is then presented to the user. In general the Sinowal Trojan checks for the requested pages in the browser, and depending on a match (e.g. a URL of a bank defined in the config) it loads additional content to inject from its own malware servers. The communication with these servers is made with encrypted POST/GET request to receive the content to inject. The collected and stolen account information is sent using SSL.
In order to find its servers the malware requests domain names based on a special algorithm. Thus an infected machine requests different domain names to find a host which is alive and can provide the requested data.
For a fast check and for disinfection of the Sinowal Trojan also GMER can be used.
Clemens Kurtenbach
S21sec labs