Surge in Sinowal distribution

Fairly recently I blogged about the distribution of Sinowal (aka Mebroot or Torpig) via compromised web pages [1]. Well, over the last couple of weeks we have observed a noticeable rise in the volume of such pages here at SophosLabs.

In keeping with the stealthy nature of Sinowal itself, the volume of sites used in the distribution of this family has always been relatively low, “sub-radar”. No mass site injections to ring alarm bells like seen in recent attacks such as Gumblar [3].

As noted in the previous post, the malicious scripts used for Sinowal distribution (detected as Mal/ObfJS-AG) essentially just load content from another site. But they do it with a little more finesse than your standard redirector. The scripts contain a simple algorithm to change the target domain according to the date. Several versions of the malicious scripts are known, broadly classified as follows:

  • generate target domain based on the date, and write an iframe to a page on that domain
  • generate target domain based on the date, open popup to a page on that domain
  • generate target domain based on date and data dynamically extracted from downloaded Twitter data

The recent surge in Mal/ObfJS-AG detections appear to be attributable to scripts of the latter type. When the compromised page is rendered in the browser, the script dynamically retrieves search trend data from Twitter (publicly available as JSON data), and uses the contents of this in its domain generation algorithm.

Sneaky, preventing researchers generating lists of Sinowal domains, and blacklisting them proactively.

For those unfamiliar with Sinowal, it is nasty. The threat compromises various components, but essentially it is an MBR rootkit used for hiding a banking malware payload. Sophos customers will be protected from the threat when they browse one of the sites injected with the Sinowal scripts – it will be blocked as Mal/ObfJS-AG.

Additionally, the Sinowal malware installed if the redirection is successful is also detected, as Mal/Sinowa-A. Finally, the modified MBR is detected, as Troj/Mbroot-G.

Curiously, a significant percentage of the sites we are seeing at the moment are Italian. In particular, one particular service provider appears to be the link between a wide variety of victim sites. Time for a phone call…