Threat behavior
Trojan:WinNT/Sinowal.F is a complex driver component associated with command and control functions and the advanced stealth features of the
Win32/Sinowal family. WinNT/Sinowal.F may download other malware from a predefined Web site.
Win32/Sinowal is a family of password-stealing and backdoor trojans. These trojans may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. Some Win32/Sinowal components may also use advanced stealth functionality, or try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.
Installation
Trojan:WinNT/Sinowal.F is installed and executed by other varaints of
Win32/Sinowal. When executed, it creates temporary files in the %TEMP% folder such as the following:
%TEMP%\1.tmp
%TEMP%\2.tmp
This malware hooks system APIs to monitor keyboard input.
Payload
Bypasses Antivirus monitoring of NTOSKRNL
Trojan:WinNT/Sinowal.F hooks the SSDT to bypass security or Antivirus software monitoring of the Windows system file 'NTOSKRNL.EXE'.
Allows backdoor access and control
Trojan:WinNT/Sinowal.F attempts outbound connections via HTTP to a predefined IP address to receive instructions from an attacker and/or to download and execute additional malicious software (malware).
Analysis by Tim Liu
Prevention