Sinowal Trojan not on rampage, says Sophos

Security experts have poured cold water on media reports that claim some 20,000 Australian bank accounts have been compromised by the Sinowal Trojan.

Press releases circulating through the media over the past month claim the malware stole up to 300,000 bank account details without detection since February 2006.

The data was collected as part of a monthly fraud reports distributed by the RSA Fraudaction Research Lab based in Israel. The firm originally linked the Trojan to Russian criminal networks, but now claims the source behind the malware is unknown.

Sophos Asia Pacific head of technology Paul Ducklin said it is impossible to claim to establish how many bank accounts were compromised, and claimed Sinowal is a group of malware that has circulated for more than a decade.

"Sinowal (aka Torpig, Mebroot) is not a single piece of malware, any more than, say, Africa is a single country or Sydney a single suburb," Ducklin said.

"Even back in 1990, when many people still didn't believe that viruses existed, and when those who did updated their software once every three months or so, no single active virus would have escaped detection for that long. So in 2008, that simply isn't going to happen.

"The data is not reliable because it is taken from raft of sources and not all [stolen] bank accounts are legitimate."

Ducklin suggested a drop-site server, used by malware applications to deposit stolen information and recently discovered by RSA, was the source of the problem. Global spam recently fell by 75 percent following the removal of a drop site operating in a Californian hosting company.

In an online security blog RSA said a single gang was behind the Sinowal Trojan that had stolen the banking data, and labelled it "one of the most pervasive and advanced pieces of crimeware ever created".

"Sinowal [has been] collecting and transmitting information for almost three years. [This] is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilise just one Trojan," according to the website.

An expert in one of Australia's top security research firms, who requested anonymity, said the statistics will vary wildly between sources.

"The [criminals] don't trade bank account details like it is suggested - they have huge gigabyte log dumps of data containing dead credit cards, and faulty data," he said.

"[Security] researchers inject false data into these logs when they are found just to screw up [malware] operations so there is no way to tell what accounts are legitimate.

"Issuing these releases are actually damaging to the [anti-malware] cause because the criminals move on and are harder to find."

A spokesperson for RSA said a media release, part of its forthcoming threat reports, was sent out early because of the severity of the malware detected.

"The numbers come from our Israel labs and it is a bigger deal so it came out earlier," the spokesperson said.

"It is about protecting our customers and notifying the industry."

Security-assessment.com Asia Pacific general manager Drazen Drazic said the threat alerts are hyped to promoted security products.

"Every man and his dog has been telling us how their products will provide for ultimate protection for years. If they want to really blow us away, give us a guarantee, but we know we won't get that," Drazic said.

Cybercrime is worth more 100 billion (£67 billion) a year according to the Australian High Tech Crime Centre, with Australia losing between $30 and $60 million a year to Advanced Fee Fraud, such as Nigerian phishing scams.

Researchers claim some Sinowal/Torpig/Mebroot Trojan variants contain rootkits and are distributed via drive-by-downloads which exploit holes in operating systems and browsers.