If your software garbles this newsletter, read this issue at WindowsSecrets.com.
| || |
YOUR NEWSLETTER PREFERENCES Change
Delivery address: firstname.lastname@example.org
Alternate address: email@example.com
Locale: Canada L3B 5N5
Reader number: 35034-18272
Windows Secrets Newsletter • Issue 176 • 2008-11-20 • Circulation: over 400,000
Table of contents
INTRODUCTION: No Thanksgiving content, but look for news updates
TOP STORY: Don't be a victim of Sinowal, the super-Trojan
KNOWN ISSUES: A freebie really does streamline Windows startup
WACKY WEB WEEK: I'll call you back, I'm about to hit a dead zone
LANGALIST PLUS: How to solve "delayed write failed" errors
BEST SOFTWARE: A favorite tool gets an easier-to-use update
PERIMETER SCAN: Great system tools that don't cost a dime
| You're receiving only our free content. Use the following link to upgrade and get our paid content immediately: |
No Thanksgiving content, but look for news updates
By Brian Livingston
All of us turkeys are taking a week off, so there won't be any new articles on our site or a new Windows Secrets Newsletter on Nov. 27, which is the Thanksgiving holiday in the United States.
Our next regular batch of content will appear on Dec. 4, but we may send out a short "news update" if anything important comes up in the meantime.
All readers get a free excerpt of 'Pleasure'
Don't be a victim of Sinowal, the super-Trojan
By Woody Leonhard
The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.
This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.
Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware's creators and includes many of the world's most popular banking and investment services.
That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.
Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal's criminal tendencies in his Oct. 31, 2008, column titled "Virtual Heist Nets 500,000+ Bank, Credit Accounts" — a headline that's hard to ignore. Krebs cites a detailed analysis by RSA's FraudAction Research Lab: "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts."
Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as "Mebroot," but Sinowal is the name you'll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn't clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot's the current villain.)
Microsoft's Robert Hensing and Scott Molenkamp blogged about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its "BootRoot" project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.
That's a long, long lifespan for a Trojan. It's important for you to know how to protect yourself.
A serious infection most antivirus apps miss
I haven't even told you the scariest part yet.
Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS. (You'd think that Microsoft would've figured out a way to protect the MBR by now — but you'd be wrong.)
Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.
The key to Sinowal/Mebroot's "success" is that it's so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn't run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn't start until 10 minutes after that.
Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.
Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.
Wait, there's more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list.
Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.
Sinowal/Mebroot isn't so much a Trojan as a parasitic operating system that runs inside Windows.
Windows XP users are particularly vulnerable
So, what can you do to thwart this menace? Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.
Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.
Peter Kleissner told me, "I think Sinowal has been so successful because it's always changing ... it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time."
Similarly, you can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer's review of free rootkit removers in May 22's Best Software column and Mark Edwards' review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)
Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.
First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan's creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.
Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.
In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn't infect Vista systems. Windows XP remains its primary target, because Vista's boot method is different and its User Account Control regime gets in the worm's way.
Don't look to your bank for Sinowal safeguards
So, you'd figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that's still harvesting accounts should send a shiver up any banker's spine.
I asked Rob Rosenberger about it, and he laughed. Rosenberger's one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.
"I'll be labeled a heretic for saying this, but ... from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.
"Banks have dealt with this kind of fraud for many, many decades," Rosenberger continued. "Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud."
If the bankers aren't going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.
In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It's hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they've left the barn, so to speak.
The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.
The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it's hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP's successors (I use the term lightly) don't appear to have the same flaw.
This is short-sighted, however. It's only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.
If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says "I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup."
As Peter Kleissner puts it, "I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world."
Kleissner's in a good position to judge. He's a student himself, 18 years old. I'm glad he's on our side.
Woody Leonhard's latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won't put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.
A freebie really does streamline Windows startup
Windows Secrets associate editor Scott Dunn tested for his Nov. 6 Top Story several well-hyped utilities that he found of little value. Lest you think any program that makes speedup claims is snake oil, you should know that worthwhile system tools are out there, many of which are free. Reader Cecil Britton writes in to tell us about his favorite:
Flash cookies foil Comcast video playback
We received a tremendous volume of responses to Woody Leonhard's Nov. 6 column (paid content) on the threat that third-party Flash Player cookies pose to your Web privacy. For some readers, the Flash cookies were more than a nuisance — they were a show-stopper. Wayne Wert was one of several Comcast customers we heard from:
Microsoft clarifies its support policy for XP
Associate editor Stuart Johnston stated in his Top Story last week that Microsoft has extended free support for Windows XP beyond the standard five years after the product's initial release. Microsoft spokesperson Katie Fazzolari sent in the following clarification:
It's been almost two years since Microsoft sold Windows XP at retail in the United States. Copies of XP that were sold to consumers by PC makers are supposed to be supported by those manufacturers. The question is whether PC users will truly get the support they need when they have XP-related problems in the years to come.
Richard Chase of Gadget's Computers & Electronics in Sundre, Alberta, Canada, reminds us that help with XP glitches may be closer than you think:
WACKY WEB WEEK
I'll call you back, I'm about to hit a dead zone
Use these permalinks to share info with friends
We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam" and corporate filters start blocking our e-mails.)
The following link includes all articles this week: http://WindowsSecrets.com/comp/081120
Free content posted on Nov. 20, 2008:
You get all of the following in our paid content:
The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.
Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).
Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Associate Editors: Scott Dunn, Stuart J. Johnston. Program Director: Tony Johnston. Program Manager: Ryan Biesemeyer. Web Developer: Damian Wadley. Editorial Assistant: Katy Abby. Copyeditor: Roberta Scholz. Chief Marketing Officer: Jake Ludington. Contributing Editors: Susan Bradley, Mark Joseph Edwards, Woody Leonhard, Ryan Russell, Scott Spanbauer, Becky Waring.
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.
YOUR SUBSCRIPTION PREFERENCES (change your preferences):
Delivery address: firstname.lastname@example.org
Alternate address: email@example.com
ZIP or postal code: L3B 5N5
Reader number: 35034-18272
Bounce count: 0
Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0.
To change your preferences: Please visit your preferences page.
To access all past issues: Please visit our past issues page.
To upgrade your free subscription to paid: Please visit our upgrade page.
To resend a missed newsletter to yourself: If your mail server filtered out a newsletter, you can resend the current week's issue to yourself. To do so, visit your preferences page and use the Resend link.
To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours).
HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.
WE GUARANTEE YOUR PRIVACY:
1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
HOW TO UNSUBSCRIBE: To unsubscribe firstname.lastname@example.org from the Windows Secrets Newsletter,