Thursday, November 20, 2008

Don't be a victim of Sinowal, the super-Trojan [Newsletter Comp Version]

If your software garbles this newsletter, read this issue at

    Windows Secrets logo

Delivery address:
Alternate address:
Locale: Canada L3B 5N5
Reader number: 35034-18272

Windows Secrets Newsletter • Issue 176 • 2008-11-20 • Circulation: over 400,000

Organized Work Life excerpt

Use these techniques to ease holiday stress
In her new book, One Year to an Organized Work Life, Regina Leeds shows how you can turn time into your ally. In this exclusive excerpt, available from Windows Secrets only until Dec. 17, she provides four exercises that demonstrate how the holiday month of December can actually be used to get your workplace under control.

This bonus download is available only to paid subscribers or to free subscribers who upgrade to receive Windows Secrets' paid version. Simply update the entries on your preferences page and a link to download our PDF e-book bonus will appear. Thanks! —Brian Livingston, editorial director

Paid subscribers: Set your preferences and download your bonus
Free subscribers: Upgrade to paid and download your bonus
Info on the printed book: United States / Canada / Elsewhere

    You're receiving only our free content. Use the following link to upgrade and get our paid content immediately:

More info on how to upgrade


Don't let a cyber-attack bite you   Don't let a cyber-attack bite you
Stay safe by installing VIPRE Antivirus + Antispyware on your computer. The program's Active Protection provides real-time security against worms, viruses, malware, Trojans, spyware, rootkits, and more at blazing-fast speed. Try a free 15-day trial!
VIPRE Antivirus + Antispyware

Before you turn to the geeks ...   Before you turn to the geeks ...
Diagnose computer problems on your own. Run the free PC Pitstop Optimize 2.0 scan and in just minutes receive a free custom report detailing common issues that might be keeping your PC from running at top speed. Over 100 million scans run. Scan now!
PC Pitstop

See your ad here


No Thanksgiving content, but look for news updates

Brian Livingston By Brian Livingston

All of us turkeys are taking a week off, so there won't be any new articles on our site or a new Windows Secrets Newsletter on Nov. 27, which is the Thanksgiving holiday in the United States.

Our next regular batch of content will appear on Dec. 4, but we may send out a short "news update" if anything important comes up in the meantime.

All readers get a free excerpt of 'Pleasure'

The Pleasure Instinct
As often as possible, Windows Secrets licenses some new content that all of our readers can download and enjoy at no cost. This month, our bonus download reveals hidden motivations that operate beneath the level of our conscious mind.

Our exclusive excerpt of The Pleasure Instinct: Why We Crave Adventure, Chocolate, Pheromones, and Music explains why everything from the smell of cocoa to a whiff of an expensive perfume moves us in unexpected ways.

The printed book won't be available in stores until mid-December, but you can get our PDF e-book excerpt now through Dec. 3, 2008. Simply visit your preferences page, update your entries, press the Save button, and a download link will appear. Thanks for your support!

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Brian Livingston is editorial director of and co-author of Windows Vista Secrets and 10 other books.

Table of contents


Save up to 76% on quality inkjet ink   Save up to 76% on quality inkjet ink
We offer the sharpest prices on the Web for quality ink and laser toner. Bonus: save an extra 10% by using coupon code PK839X. Free shipping to contiguous U.S. locations for all orders over $50. Offer expires 11/30/2008 and excludes OEM items.

Get the ultimate in online entertainment   Get the ultimate in online entertainment
SuperPass delivers the best of the Web and Hollywood. It includes RealPlayer Plus, which downloads Web videos and burns them to DVD. Your monthly membership lets you listen to millions of songs, watch full-length movies, and more!
RealNetworks Superpass

How much RAM will help your PC?   How much RAM will help your PC?
The Crucial System Scanner takes the guesswork out of upgrading your memory. Consult the Memory Calculator to speed up your computer. Find the perfect memory upgrade for Windows Vista or XP. Scan your system now!
Crucial Technology

See your ad here


Don't be a victim of Sinowal, the super-Trojan

Woody Leonhard By Woody Leonhard

The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.

This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.

Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware's creators and includes many of the world's most popular banking and investment services.

That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.

Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal's criminal tendencies in his Oct. 31, 2008, column titled "Virtual Heist Nets 500,000+ Bank, Credit Accounts" — a headline that's hard to ignore. Krebs cites a detailed analysis by RSA's FraudAction Research Lab: "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts."

Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as "Mebroot," but Sinowal is the name you'll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn't clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot's the current villain.)

Microsoft's Robert Hensing and Scott Molenkamp blogged about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its "BootRoot" project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.

That's a long, long lifespan for a Trojan. It's important for you to know how to protect yourself.

A serious infection most antivirus apps miss

I haven't even told you the scariest part yet.

Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS. (You'd think that Microsoft would've figured out a way to protect the MBR by now — but you'd be wrong.)

Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.

The key to Sinowal/Mebroot's "success" is that it's so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn't run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn't start until 10 minutes after that.

Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.

Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.

Wait, there's more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list.

Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.

Sinowal/Mebroot isn't so much a Trojan as a parasitic operating system that runs inside Windows.

Windows XP users are particularly vulnerable

So, what can you do to thwart this menace? Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.

Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.

Peter Kleissner told me, "I think Sinowal has been so successful because it's always changing ... it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time."

Similarly, you can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer's review of free rootkit removers in May 22's Best Software column and Mark Edwards' review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)

Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.

First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan's creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.

Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.

In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn't infect Vista systems. Windows XP remains its primary target, because Vista's boot method is different and its User Account Control regime gets in the worm's way.

Don't look to your bank for Sinowal safeguards

So, you'd figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that's still harvesting accounts should send a shiver up any banker's spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger's one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

"I'll be labeled a heretic for saying this, but ... from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

"Banks have dealt with this kind of fraud for many, many decades," Rosenberger continued. "Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud."

If the bankers aren't going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It's hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they've left the barn, so to speak.

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it's hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP's successors (I use the term lightly) don't appear to have the same flaw.

This is short-sighted, however. It's only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says "I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup."

As Peter Kleissner puts it, "I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world."

Kleissner's in a good position to judge. He's a student himself, 18 years old. I'm glad he's on our side.

Please tell us how useful this article was to you:

1: Poor
2: Fair
3: Good
4: Great
5: Superb
Woody Leonhard's latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won't put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Contents  Index


Recover passwords and data from any PC   Recover passwords and data from any PC
Recover administrator passwords. Find the BIOS/CMOS password for any PC. Expose e-mail, browser, and IM passwords with ease. Boot any PC, even if the hard disk is damaged. Clone entire Windows installs. Get the ultimate data-recovery utility now!
Spotmau PowerSuite Professional

Are your computer's drivers up-to-date?   Are your computer's drivers up-to-date?
Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
Drivers HeadQuarters

Get your message seen by 400,000 readers   Get your message seen by 400,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
Windows Secrets Newsletter

See your ad here


A freebie really does streamline Windows startup

Dennis O'Reilly By Dennis O'Reilly

Many tools make dubious claims about boosting PC performance, but some utilities actually do trim Windows' boot time.

One example is a free program from the person who brought us the popular Process Explorer troubleshooting tool.

Windows Secrets associate editor Scott Dunn tested for his Nov. 6 Top Story several well-hyped utilities that he found of little value. Lest you think any program that makes speedup claims is snake oil, you should know that worthwhile system tools are out there, many of which are free. Reader Cecil Britton writes in to tell us about his favorite:
  • "I read Scott's great column on the relative worthlessness of commercial speedup utilities for Windows, and I completely agree with his assessment of that type of software. While he didn't go into it, I think he'll find that many of these same products can actually do more harm than good to a working system.

    "My real comment on the column has to do with Scott's recommendation on good, free utilities that control Windows startup programs. Scott mentioned Mike Lin's excellent little Startup Control Panel, which I personally used for several years and found to be an essential tool in easily controlling Windows' startup behavior.

    "I have since found that I get far more control by using Sysinternals' nice little Autoruns utility (Microsoft/Mark Russinovich). I know this program is probably suited to more sophisticated users than Startup Control Panel [is], but it gives the technically competent user far more control over all types of startup components than does SCP."
Autoruns has been around for years — the current version is 9.35 and is available from a Microsoft download page — but it shows that when it comes to useful system tools, newness isn't all it's cracked up to be.

Flash cookies foil Comcast video playback

We received a tremendous volume of responses to Woody Leonhard's Nov. 6 column (paid content) on the threat that third-party Flash Player cookies pose to your Web privacy. For some readers, the Flash cookies were more than a nuisance — they were a show-stopper. Wayne Wert was one of several Comcast customers we heard from:
  • "I wanted to express my thanks to Mr. Woody Leonhard for his article on Adobe's 'cookies.' After reading an earlier article about this problem, I had reset my Adobe settings to try to increase the security on my computer.

    "I soon found that Comcast's Fan (video clips) would not work, but when clicking the blank page and bringing up Adobe, the site implied that all was well. In addition, I could go to any other site that used Adobe [Flash], and it worked properly. Even Comcast's other sites, such as old TV programs and such, worked very well, so I assumed that the problem must be elsewhere — other than Adobe.

    "Today, I was getting ready to call Comcast's trouble line and try to rectify the problem, but I first read Mr. Leonhard's article. I reset Adobe's settings to allow almost everything and found that the Fan then worked. I reset the categories one by one to get the maximum security I could without preventing the Fan from working.

    "I found that I had to allow third-party cookies, as reported in the Windows Secrets article, but I could set stored content to 0 (zero) and the Fan still played. I think that I achieved maximum security, thanks to Mr. Leonhard's article."
The good thing about nuisances such as third-party cookies is that there's usually a workaround.

Microsoft clarifies its support policy for XP

Associate editor Stuart Johnston stated in his Top Story last week that Microsoft has extended free support for Windows XP beyond the standard five years after the product's initial release. Microsoft spokesperson Katie Fazzolari sent in the following clarification:
  • "You claim that the end of Microsoft's mainstream support phase is 'coming more than two years later than is typical.' Actually, the Microsoft Support Lifecycle policy states that mainstream support is available for five years after the product is released or two years after the successor product is released, whichever is longer. In XP's case, Vista was released in early 2007, starting the two-year clock for the end of XP mainstream support, which ends in early 2009, right on schedule.

    "Also, I just want to clarify again that XP users who are buying a new PC with that operating system installed will receive support from their OEM, not Microsoft."
XP was first shipped in late 2001, so the five-year gap before Vista was released has had the effect of giving XP seven years of mainstream support rather than five. Stuart was pointing out that seven years is two years longer than the five years of mainstream support that other Windows versions typically enjoyed. Anyway, I'm glad Microsoft clarified the point.

It's been almost two years since Microsoft sold Windows XP at retail in the United States. Copies of XP that were sold to consumers by PC makers are supposed to be supported by those manufacturers. The question is whether PC users will truly get the support they need when they have XP-related problems in the years to come.

Richard Chase of Gadget's Computers & Electronics in Sundre, Alberta, Canada, reminds us that help with XP glitches may be closer than you think:
  • "Don't forget your local mom & pop shops. We've been using XP for years and will continue to do so. Any decent shop will help you out with warranty and any other Windows XP issues until it's finally tossed completely by 2014. Hell, we still service some Windows 2000 and even 98 and Me machines (although we discourage it). For the $59 that MS charges, you can get some good service elsewhere."
That's good advice, although somehow I just can't see my mom wearing a grounding wrist strap as she disassembles a motherboard.

Readers Cecil, Wayne, and Richard will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

Help people find this article on the Web (explain):


The Known Issues column brings you readers' comments on our recent articles. Dennis O'Reilly is technical editor of

Table of contents


I'll call you back, I'm about to hit a dead zone

Man answering his phone By Katy Abby

Cell phones have become a relative social necessity. Most users have embraced some semblance of cell-phone etiquette in public. But we unwritten-rule-abiding citizens are too often plagued by obnoxious, inconsiderate users.

You know who they are. They're holding up the line at the coffee shop, disrupting business meetings, and ruining the ambience at your favorite restaurant. If only there were some way to mete out an appropriate punishment ...

Check out this hilarious commercial and watch a brazen offender get his just deserts. (As a public courtesy, kindly share it with any oblivious cell phone users in your life!) Play the video

Help people find this article on the Web (explain):


Table of contents


Use these permalinks to share info with friends

We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam" and corporate filters start blocking our e-mails.)

The following link includes all articles this week:

Free content posted on Nov. 20, 2008:

You get all of the following in our paid content:

Get our paid content by making any contribution

12 months of paid content

There's no fixed fee! Contribute whatever it's worth to you
Readers who make a financial contribution of any amount by Dec. 3, 2008, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.
Sudarto in Indonesia

A portion of your support helps children in developing countries
Each month, we send a full year of sponsorship to a different child. Your contributions in November are helping us to sponsor Sudarto Sagiman, a 12-year-old boy from a village in the area of Rembay, Indonesia. Plan USA channels development aid from donors to Sudarto and his community. We also sponsor kids through Save the Children and other respected agencies. More info

Use the link below to learn more about the benefits of becoming a paid subscriber!

More info on how to upgrade

Thanks in advance for your support!


Table of contents


The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Associate Editors: Scott Dunn, Stuart J. Johnston. Program Director: Tony Johnston. Program Manager: Ryan Biesemeyer. Web Developer: Damian Wadley. Editorial Assistant: Katy Abby. Copyeditor: Roberta Scholz. Chief Marketing Officer: Jake Ludington. Contributing Editors: Susan Bradley, Mark Joseph Edwards, Woody Leonhard, Ryan Russell, Scott Spanbauer, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter,, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of LLC. All other marks are the trademarks or service marks of their respective owners.

YOUR SUBSCRIPTION PREFERENCES (change your preferences):

Delivery address:
Alternate address:
Country: Canada
ZIP or postal code: L3B 5N5
Reader number: 35034-18272
Bounce count: 0
Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0.

To change your preferences: Please visit your preferences page.

To access all past issues: Please visit our past issues page.

To upgrade your free subscription to paid: Please visit our upgrade page.

To resend a missed newsletter to yourself: If your mail server filtered out a newsletter, you can resend the current week's issue to yourself. To do so, visit your preferences page and use the Resend link.

To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours).

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.


1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Use this 2-click Unsubscribe link; or
  • Send a blank e-mail to with leave as the Subject line; or
  • Visit our Unsubscribe page.
Copyright © 2008 by LLC. All rights reserved.

Table of contents


No comments:

Post a Comment

Thanks for understanding that we need to prevent the nasties.

Terms of Use

Personal & Educational Use Only This blog consists mainly of FREE newsletters from computer web gurus that I receive. I thought you might like to see them all in one place than try to discover them on your own. A moderate amount of editing may be done to eliminate unrelated repetitious ads or unnecessary text which bloat the post. However I have given the authors full credit and will not remove their site links because you deserve to see where it comes from and they deserve to get credit for what they have written. Your use of this site is simply for educational purposes. For more computer-related help go to: CPEDLEY.COM for free software, advice and tips on low cost products which are very helpful. If you want to contact the editor, please go CPEDLEY.COM and check the Contact page for email address.