Win32/Sinowal

Original issue date: October 17, 2008

It has been observed that Worm: WIN 32/Sinowal is spreading widely. Win32/Sinowal is a family of password-stealing and backdoor Trojans.  This Trojan is downloaded unknowingly by a user when visiting a malicious Web site. It can also be dropped by other malware.

Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.

The Trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions.

Some of the variants like VirTool:WinNT/Sinowal.A have rootkit functionalities .The said component modifies certain sectors of the infected hard disk. It also hooks Driver.sys to protect these sectors from read and write operations from AntiVirus/security software.   After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.).  Once the driver is loaded into the kernel, it behaves just like a standard kernel mode rootkit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection.

Aliases:

Trojan-PSW.Win32.Sinowal.gd (Kaspersky)
W32/Sinowal.ALH ( Norman )
MBR Rootkit (other)
Mebroot (other)
Trojan.Mebroot (Symantec)
TRJ_SINOWAL.AD (Trend micro)

Upon execution some of the variants:

• Drops following files
  • $_2341234. TMP ,_exp.exe,cgrb.exe, exp.exe , ism.dll, trc.di, bm00001.dll,ibm00002.dll
    
    
• Modify the registry
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
    Data: explorer.exe<100 empty spaces><executable’s path>
    Value: Shell
    
    
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  Data: <executable’s’path>
  Value: shell
  
  
• HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmlSvc
  Value:"Image Path"
  Data: %SystemRoot%\System32\svchost.exe -k netsvcs to registerit self as a service NtmlSvc
  
  
• HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmlSvc
  Value:"Start"
  Data: 02
  
  
• HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmlSvc\
  Parameters
  Value:"ServiceDll"
  Data: <random folder>\ibm<random number>.dl
  
  
• Hides itself by injecting itself into other running processes
• Collects e-mails credentials for POP3, IMAP, SMTP, HTTPMail, other e-mail accounts.
• Collects user’s ftp login credentials from different FTP client applications, e.g. FTP Voyager, Trellian FTP, WS_FTP, etc.
• Monitors browser history and Favorite URL settings in browser
• Sends the retrieved information either through e-mail or by uploading to a remote Web site
• Tries to delete all files in %userprofile%\Cookies.
• Injects itself into each running process.
• Creates files in <systemfolder>/temp
• Contacts the remote control server, receives a list of banking sites, whenever such a banking site is accessed, a popup window is generated. The contents of the popup window are fetched from the control server and the caption of the window is modified to "Advanced card verification" to hide the fact that it is a browser window
• Additionally the contents of form fields whose name contain at least one of the strings "login", "user", "name", "pass" or "auth" are captured and relayed back to the server
• Sleeps for a random period of time between 15 - 30 minutes in length, after which it initiates a system shutdown. The dialog box displaying the countdown timer is hidden from the user.

In view of rapid propagation of the Sinowal Trojan variants, users are advised to implement the following countermeasures:

• Delete executables with the abovementioned names.
• Delete the registry entries made by the Trojan a mentioned above.
• Install and run Anti Rootkit detection tools to clean the infected system.
  http://www.gmer.net/index.php
• To help prevent similar attacks in the future, enable Master Boot Record write-protection feature from BIOS.
• Fix the MBR by running the " fixmbr " command provided by Microsoft from within the Windows Recovery Console to successfully remove the malicious MBR entry.
• Install and maintain updated anti-virus software at gateway and desktop level.
• Keep up-to-date on patches and fixes on the operating system.
• Install and maintain Desktop Firewall and block the ports which are not required.
• Exercise caution while visiting trusted/untrusted sites.
• Disable Active Scripting through Browsers while visiting untrusted websites.

References

Microsoft
http://www.microsoft.com/security/portal/SearchResults.aspx?
query=sinowal
http://www.microsoft.com/security/portal/Entry.aspx?name=
VirTool:WinNT/Sinowal.A
http://www.microsoft.com/security/portal/Entry.aspx?name=
VirTool:WinNT/Sinowal.B
http://www.microsoft.com/security/portal/Entry.aspx?name=
PWS:Win32/Sinowal.gen!C
http://www.microsoft.com/security/portal/Entry.aspx?name=
PWS:Win32/Sinowal.gen!D
http://www.microsoft.com/security/portal/Entry.aspx?Name=
PWS%3aWin32%2fSinowal.AGZ

Anti-Malware-Engineering Team/Microsoft
http://blogs.technet.com/antimalware/archive/2008/01/10/mbr
-rootkit-virtool-winnt-sinowal-a-report.aspx

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_SINOWAL.AD&VSect=T

CERT -In Virus Alert MBR Rootkit
http://www.cert-in.org.in/virus/MBR_Rootkit.htm

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003