Backdoor.Win32.Sinowal - a bootkit that steals user confidential information. It is a Windows application (PE-EXE file). Type of virus: Boot virus. It was discovered at the end of March 2009. The size of the installer can vary from 300 to 460 Kb.
Content
- 1 Installation
- 2 Disguise in the system
- 3 Destructive activity
- 4 Distribution Method
- 5 Detection and treatment
- 6 See also
- 7 References
Installation
At startup, the installer writes the encrypted bootkit body to the last sectors of the hard disk that are outside the disk space used by the operating system. To ensure startup, the bootkit infects the MBR of the computer by writing its bootloader to it, which before starting the operating system reads from the disk and deploys the rootkit’s main body in memory, after which it gives OS control and controls the boot process.
Disguise in the system
To hide its presence in the system and prevent detection by antivirus programs, this backdoor intercepts disk access at the sector level. To do this, the malware replaces the I / O request handler IRP_MJ_INTERNAL_DEVICE_CONTROL in the last driver of the boot disk stack.
Since cybercriminals had never resorted to such technologies before, none of the existing anti-virus products at the time of Sinowal’s appearance could not only cure computers affected by Backdoor.Win32.Sinowal, but even detect a problem. After penetrating the system, the bootkit provides hidden operation of the main module, focused on the theft of personal data of users and their various accounts.
Destructive activity
The backdoor downloads an add-on module containing spyware functionality from the attacker's sites and injects it into the user's processes running on the system. The spy module intercepts the following system encryption support functions:
- CryptDestroytKey
- Cryptencrypt
- Cryptdecrypt
and steals all encryption keys used in the system, as well as encrypted and decrypted data. The rootkit sends the collected information to the attacker's site. The backdoor uses the technology of constant migration of malicious servers, for which a special algorithm for generating a domain name depending on the current date is used.
Distribution Method
Currently, the main distribution is through three types of resources:
- hacked sites;
- porn resources;
- Resources that distribute malware
In all this, a Russian note can be traced, according to analysts at Kaspersky Lab . The fact is that most distribution sites are linked by links. This method of interaction is very popular in the Russian and Ukrainian underground.
At the same time, a script is used on the resources that begins the first stage of the victim's infection. Forwarding is performed to IP , which is now the domain to which the victim is forwarded, is generated by the script . Generation is based on the date that is installed on the victim computer.
Another technology related to the spread is cookies , which the virus leaves on the victim. The lifetime of these cookies is 7 days. This is done in order to identify the victim when you re-run the script. Cookies are checked, and if the script detects that the computer was already under the influence of a backdoor, then redirection does not occur.
Detection and Treatment
Detection and treatment of this bootkit, which is still distributed on the Internet, is the most difficult task of all that the antivirus industry specialists have had to deal with for several years. But today, this virus is treated by almost all leading anti-virus programs.