ComputerSecure Blog

photo credit: Zesmerelda

…are Very Nasty Trojan Horses.

What are these Trojans?

First, from Wikipedia:
‘Torpig, also known as Sinowal and Mebroot, is a type of Trojan horse which can affect computers using Microsoft Windows as their operating system. Torpig turns off anti-virus applications, allows others to access the computer, modifies data on the computer, steals confidential information (such as user passwords) and installs more malware on the victim’s computer. As of November 2008 it has been responsible for stealing the details of about 500,000 online bank accounts and credit and debit cards and is described as “one of the most advanced pieces of crimeware ever created”.’

That’s all from there. Just scratching the surface really.
The quote, by the way, “one of the most advanced pieces of crimeware ever created”, seems to come from a spokesperson at security company RSA, UK.

How nasty are they? Very. See this article at the BBC.

I mentioned these trojans in a previous post.

Then I began to think about readers here: they will want to know whether their PC is infected, and if so, what to do about it.

Are you infected with Torpig, Sinowal or Mebroot?

Firstly: if you DO have one of these trojans your PC is NOT SECURE. Do not do any banking, shopping or anything that involves using your passwords or private information.

This malware puts you at risk of identity theft. Here is some advice about what to do if you think you might have become a victim of identity theft.

How to Detect Torpig, Sinowal or Mebroot

The following programs seem to be able to reliably detect the presence of these trojans.

1. SpyBotS&D

Judging from various reports, I believe SpyBot, the free spyware tool, will tell you if you are infected.
That’s SpyBot-Search and Destroy aka ‘SpyBotS&D’.

SpyBot is free: you can download it from the link on our page.

2. Free online virus scan fom Kaspersky.

Also, Kaspersky Lab’s free online scan should detect these trojans.
This a thorough scan, performed via your internet connection, and will probably take some time.

3. A free trial of Kaspersky Anti-Virus.

Also, you could download the free trial of Kaspersky Anti-Virus.

In some countries outside the USA links to free trials may not operate as expected: if so, download the free trial of Kaspersky Anti-Virus 2009 from us here.

4. The free version of avast! antivirus.

See the link on our main anti-virus page.

5. Malwarebytes’ Anti-Malware

This is free to download and use. No payment is required unless you want to activate extra features later.
I don’t know to what extent Malwarebytes’ Anti-Malware can always detect Torpig, Sinowal and Mebroot. However, as you can see on this CastleCops thread about Mebroot help, the expert there definitely wanted to see what the Malwarebytes Anti-Malware scans reported about trojans and malware on the user’s system.

Remember, the worst trojans are often ‘combined threat’ malware: there is every chance that, once they have made their nest in your system, they will try to download more virus and spyware programs onto your PC. That alone is enough of a reason to have a quality tool like this that can check for malware on your PC.

You can download Malwarebytes Anti-Malware here. (The blue ‘Download’ button is the free version.)

Some important points to note about these trojans.

• These trojans like to hide: not every security program will find them.

• These trojans may attempt to turn off security software you have installed.

• These trojans have a reputation for coming back even after you have taken steps to remove them. (That’s what a rootkit can do to you.)

There might be variations an the exact names of the trojans, e.g. one is “Backdoor.Win32.Sinowal.ce”.

Now I hope to goodness you are not infected with any of these trojans.

But what if you are infected?

Firstly, remember that a main role of anti-virus and security software is to prevent this kind of thing from ever getting onto your PC. It is a lot easier to keep these things out than it is to repair a compromised system.

But, again, what if the trojans are already present?

It seems to me you have three options.

1. Manual removal of the trojan and all its files.
2. Using some software to remove the trojan.
3. Getting an expert to fix the problem.

Let’s see what each of these will involve.

1. Manual removal of the trojan and all its files.

If you are happy to mess about with your Windows registry, system files (and possibly your Master Boot Record) then read on. If not, skip this option.

Here is a link to a page at the SpyBot forums where help is offered to a victim of the Torpig trojan.

As you can see, it’s no picnic to manually remove these beasties. Try this solution only if you still feel confident after reading that page.

On the other hand, the people at CastleCops might be able to give you step-by-step help.
CastleCops thread about Mebroot help.
Note that this particular thread runs out to about 6 pages. Before the PC can be declared clean there will be a lot of work running scans, checking logs etc.

If it were me that had the trojan, what would I do?
At this point I would be thinking ‘those guys at CastleCops are extremely helpful, patient and thorough. But I think I’ll send my PC to experts for repair.’

2. Using software to remove the trojan.

The author of the Anti-Malware Test Lab site says he has tested number of anti-virus brands specifically aiming at the question of whether they can fix the problem when a computer is already infected with such trojans.

Backdoor.Win32.Sinowal.ce was one of the trojans included for testing.

I don’t know anything else about Anti-Malware Test Lab (antimalware.ru): I don’t know whether they are a trusted source of security information. They seem honest and independent. Apart from a carrying a few advertisements on their site they are not trying to sell visitors anything. I’m just reporting what I see.

And what I see is this, in their results:

Best performers:
Dr.Web Anti-Virus 4.44: reported to have fixed 100% of the tested problems.
Kaspersky Anti-Virus 2009: reported to have fixed 80%
Avast! Professional Edition 4.8: reported to have fixed 80%

Also capable:
Agnitum Outpost Antivirus Pro 6.5: fixed 53%
Norton AntiVirus 2009: fixed 53%
Panda Antivirus 2009: fixed 40%

As for the Sinowal type malware, they had Backdoor.Win32.Sinowal.ce modifying the master boot record (MBR). Four programs were able to deal with it: Avast, Dr.Web Anti-Virus, Kaspersky Anti-Virus and McAfee.

They report that the malware most difficult to erase was Virus.Win32.Rustock.a, which was only fixed by Dr.Web Anti-Virus and Kaspersky Anti-Virus.

I’m not surprised that a lot of other brands did not fix a problem like this - one that involved a rootkit and malware that had already tampered with a disk’s master boot record. From a technical point of view this is just about the worst kind of malware you can imagine.
And anti-virus software has a lot of different jobs to do: this is only one of them - i.e. curing a disease that should never have been allowed to take hold at all.

But a comment on the Anti-Malware Test Lab site reminded me of something else. The comment was from Alexander Gostev at Kaspersky. He noted that back in the 1990s the idea that an anti-virus tool would FIX an already infected computer was central to the very meaning of ‘anti-virus’.
Mr. Gostev suggests that, with malice such as Rustock and Sinowal about, antivirus vendors had better maintain their focus on both issues, prevention AND cure.

I cast my mind back to somewhere around 1994… He’s right! In those days I wouldn’t even think about installing anti-virus software unless I thought I already had a virus.
The idea that anti-virus tools are mainly for border-patrol is a newer idea.
Well, everybody knows that prevention is better than cure - but you still need cures.

Another commentator referred to how his own company aims to keep its focus on the task of curing infected computers and called this “the path of the classic antivirus”.

Anyway, I have digressed: this was Option 2 for getting rid of Torpig, Sinowal or Mebroot. And the solution was to get security software capable of the task.

If it were me that had the trojan, what would I do?
If I identified that Dr.Web Anti-Virus, Kaspersky Anti-Virus or Avast could fix the problem I would install one or all of them and let them scan and fix.

BUT then I would still be wondering whether the infection had been completely cleared out.
I would get onto the web and look for forum posts like the CastleCops thread about Mebroot. I would be looking for anything they had to say about how to scan my PC and verify that the pests had been eliminated.

If I had any doubts I would be going for option 3…

3. Get an expert to fix the problem.

The first two options involve work and assume that the victims of malware have confidence in their own ability to evaluate the threat and carry out the hands-on steps to deal with it.

But this is contrary to the theme of this site, which is ‘computer security, explained simply - for ordinary PC users, not experts’.

If I had any doubts about whether my PC was still infected by malware such as Torpig, Sinowal or Mebroot then my computer would be in my car: I would be driving it to the premises of my friendly local security experts.

Note, I say EXPERTS. That’s not just any old person who advertises in your local paper or yellow pages saying ‘I will come to your place and fix your computer problems’.

Let’s put this into context. Suppose you have malware like this, that employs rootkits and has tampered with the Master Boot Record of your hard drives. This actually means that your hard drive is BROKEN.

Put simply, there are two main ways in which your hard drive can be broken:

1. Mechanical or electronic parts have failed.
2. Essential files on the drive are corrupt.

If you have malware that employs rootkits and has tampered with the Master Boot Record then Number 2 above is true - essential files on the drive are corrupt.

The usual common-sense wisdom about either of these conditions is that the hard drive needs to be sent to experts in hard drive repair, data recovery and security.

I thought it was bad when I had a mechanical failure of a hard drive in 2007. I lost recent work and had to re-do it. I lost some family photos (lots of them) that were not backed up anywhere else.
I had to be ready to spend $900 for recovery of the data from the drive IF it was possible to recover it at all. (It wasn’t possible - I saved $900 but lost the data.)

For $900 I could have used a premium, off-site, automatic data back-up service for about nine years.
Or I could have bought two or three new hard drives for the same money. In fact, given that the omputers I buy start off as a fairly bare box, I could have bought at least one computer for the price - and had some change left over.

That was the first time I had ever had a hard drive fail.

But having a hard drive under the influence of malicous trojans like Torpig, Sinowal and Mebroot is actually WORSE than a mechanical failure. Because those trojans can break your hard drive AND send your bank account details to criminals.

Disclaimer: I’m not an expert at removing malware. I am just taking an interest and reporting what I see. I try to be as accurate as possible and explain thngs simply.

I don’t want to be an alarmist - somebody who frightens people into getting security software they don’t need.

But I don’t want to underestimate the level of the threats. These trojans have already stolen details of half a million bank accounts. It’s just stating the obvious to say that most of this theft occurred on computers that were not adequately defended by anti-virus and and anti-spyware software. But I wouldn’t mind betting that most of the thefts occurred via PCs on which virtually no security measures were in place at all.

This entry was posted on Thursday, November 20th, 2008 at 7:57 pm and is filed under Computer Security, Identity Theft, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.