Windows 7: Continued Sinowal activity.

After one of my recent blog postings concerning the recent zero day IE vulnerability [1], I received a few questions and comments thanks to one of the comments I made:

Finally, and perhaps most worryingly, this type of advice feeds the “right now we have a problem, but as soon as the patch is available, we can relax” school of thought. Will the online world be significantly safer once this patch is available and widely deployed? Generally speaking, probably not.

The questions I received confirmed to me that this school of thought definitely exists. In this post, I will highlight one of the ongoing threats that justifies my statement - Sinowal (aka Mebroot) attacks.


I have posted several times before about Sinowal, highlighting:

• its use of the date in the algorithm to generate the domain to which compromised web pages will redirect.
• its use of Twitter trends JSON data as part of that algorithm.
• its use of complex PDF documents as part of the exploit kit to infect users with the payload(s).

The flow of a recent Sinowal attack is illustrated below (the identity of the legitimate, compromised .co.uk site is masked):