New variant of Sinowal rootkit

Kaspersky Lab has implemented detection and treatment for a new variant of a unique MBR rootkit, Sinowal. The new variant of Sinowal, a malicious program that is capable of hiding its presence in the computer system by infecting the Master Boot Record (MBR) on the hard drive, was detected at the end of March 2009.

Over the last month Sinowal has been actively spreading from a number of malicious sites that use the Neosploit exploit toolkit. Kaspersky Lab analysts have been monitoring the Sinowal rootkit since early 2008.

Unlike earlier versions, the new modification, Backdoor.Win32.Sinowal has these features:

• It penetrates much deeper into the system to avoid being detected
• A stealth method that hooks into device objects at the operating system’s lowest level
• Sinowal conceals the payload’s activities, which are designed to steal user data and various account details
• It can penetrate a system through a vulnerability in Adobe Acrobat and Reader, which allows a maliciously rigged PDF file to plant malware on a system without the user’s knowledge.

Implementing detection and treatment for Sinowal has been one of the toughest jobs facing antivirus researchers.

Detection and treatment

1. Users must update their antivirus databases and perform a complete system scan.
2. If Sinowal is detected, the computer will need to be rebooted during the treatment process.
3. Kaspersky Lab also recommends that users install all the necessary patches in Adobe Acrobat and Reader and any browsers that they use to secure any potential vulnerabilities.