Kaspersky Lab Neutralizes New Variant of the Sinowal Rootkit

May 1, 2009

Kaspersky Lab Neutralizes New Variant of the Sinowal Rootkit

Woburn, MA - May 18, 2009 - Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software, has implemented detection and treatment for a new variant of a unique MBR rootkit, Sinowal. The new variant of Sinowal, a malicious program that is capable of hiding its presence in the computer system by infecting the Master Boot Record (MBR) on the hard drive, was detected at the end of March 2009. Over the last month Sinowal has been actively spreading from a number of malicious sites that use the Neosploit exploit toolkit.

What is the Neosploit exploit toolkit: The Neosploit toolkit is an advanced exploit toolkit that has automated tools for taking advantage of vulnerabilities in other applications.

Kaspersky Lab analysts have been monitoring the Sinowal bootkit since early 2008; however the new variant came unexpectedly. Unlike earlier versions, the new modification, Backdoor.Win32.Sinowal has these features:

It penetrates much deeper into the system to avoid being detected
A stealth method that hooks into device objects at the operating system's lowest level
Sinowal conceals the payload's activities, which are designed to steal user data and various account details
It can penetrate a system through a vulnerability in Adobe Acrobat and Reader, which allows a maliciously rigged PDF file to plant malware on a system without the user's knowledge.

This is the first time cybercriminals have used such sophisticated technologies. It also explains why no antivirus products could treat computers infected or even detect the new Sinowal modification when it first appeared. Implementing detection and treatment for Sinowal has been one of the toughest jobs facing antivirus researchers.

Detection and Treatment

To find out whether or not Sinowal has infected a computer, users must update their antivirus databases and perform a complete system scan. If Sinowal is detected, the computer will need to be rebooted during the treatment process. Kaspersky Lab specialists also recommend that users install all the necessary patches in Adobe Acrobat and Reader and any browsers that they use to secure any potential vulnerabilities.

Adobe Acrobat and Reader Patch: http://www.adobe.com/support/security/bulletins/apsb09-04.html

About Kaspersky Lab

Kaspersky Lab seeks to deliver the world's most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. Kaspersky Lab products provide superior detection rates and very fast outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is used worldwide inside the products and services of the industry's leading IT security solution providers. Learn more at http://www.kaspersky.com/. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit http://www.viruslist.com/.

Kaspersky Contacts:

Christen Rice

Kaspersky Lab

P: + 1 781 503 2625

E: christen.rice@kaspersky.com

###

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Kaspersky Lab Neutralizes New Variant of the Sinowal Rootkit

Kaspersky Lab Neutralizes New Variant of the Sinowal Rootkit

About Kaspersky

Related Articles Press Releases

Kaspersky statement on compliance in the U.S. following ICTS Final Determination

Quadrant Knowledge Solutions grants Leader status to Kaspersky Threat Intelligence

SMB malware infections rising amid resurgence of attacks leveraging Microsoft Excel, Kaspersky reports

Kaspersky introduces new Windows digital forensics online cybersecurity training

Kaspersky statement on the company leadership inclusion on the sanctions list by the Department of the Treasury’s Office of Foreign Assets Control (OFAC)

Kaspersky Statement on the U.S. Commerce Department Determination

Kaspersky introduces Kaspersky Cloud Workload Security ecosystem

Kaspersky studies 193 million passwords, finds 45% could be cracked in less than a minute

Kaspersky opens CFP for 2024 Security Analyst Summit

Kaspersky releases enhanced apps for iOS and Android