Press Release

Kaspersky Lab Neutralizes New Variant of the Sinowal Rootkit

Woburn, MA - May 18, 2009 - Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software, has implemented detection and treatment for a new variant of a unique MBR rootkit, Sinowal. The new variant of Sinowal, a malicious program that is capable of hiding its presence in the computer system by infecting the Master Boot Record (MBR) on the hard drive, was detected at the end of March 2009. Over the last month Sinowal has been actively spreading from a number of malicious sites that use the Neosploit exploit toolkit.  

What is the Neosploit exploit toolkit:  The Neosploit toolkit is an advanced exploit toolkit that has automated tools for taking advantage of vulnerabilities in other applications.

Kaspersky Lab analysts have been monitoring the Sinowal bootkit since early 2008; however the new variant came unexpectedly. Unlike earlier versions, the new modification, Backdoor.Win32.Sinowal has these features:

  • It penetrates much deeper into the system to avoid being detected
  • A stealth method that hooks into device objects at the operating system's lowest level
  • Sinowal conceals the payload's activities, which are designed to steal user data and various account details
  • It can penetrate a system through a vulnerability in Adobe Acrobat and Reader, which allows a maliciously rigged PDF file to plant malware on a system without the user's knowledge.

This is the first time cybercriminals have used such sophisticated technologies. It also explains why no antivirus products could treat computers infected or even detect the new Sinowal modification when it first appeared. Implementing detection and treatment for Sinowal has been one of the toughest jobs facing antivirus researchers.

Detection and Treatment

To find out whether or not Sinowal has infected a computer, users must update their antivirus databases and perform a complete system scan. If Sinowal is detected, the computer will need to be rebooted during the treatment process. Kaspersky Lab specialists also recommend that users install all the necessary patches in Adobe Acrobat and Reader and any browsers that they use to secure any potential vulnerabilities.

Adobe Acrobat and Reader Patch: http://www.adobe.com/support/security/bulletins/apsb09-04.html

About Kaspersky Lab

Kaspersky Lab seeks to deliver the world's most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam.  Kaspersky Lab products provide superior detection rates and very fast outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is used worldwide inside the products and services of the industry's leading IT security solution providers. Learn more at http://www.kaspersky.com/. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit http://www.viruslist.com/.

Kaspersky Contacts:                                                      

Christen Rice              

Kaspersky Lab                                                                  

P: + 1 781 503 2625                                                          

E: christen.rice@kaspersky.com                               

###