ABSTRACT
The Torpig Group, Part 1: Exploit Server and Master Boot Record Rootkit* Executive Summary e iDefense Malicious Code Operations team has conducted extensive research into the group responsible for carrying out attacks with the Torpig Trojan horse. is code, also known as Sinowal, is one of the most comprehensive phishing Trojans to date. It targets more than 900 URLs, including nearly every iDefense financial-sector customer. While analysts were writing this article, a private forum revealed details about a Trojan utilizing a master boot record (MBR) rootkit, which has rightfully gained widespread media attention. iDefense analysts discovered that they had obtained a debugging version of this rootkit on December 20, 2007, among thousands of files obtained in a backup archive of a Torpig server. Mitigation is still limited, but customers should be aware of this type of rootkit as it may be very difficult to diagnose in a corporate environment and will likely pose a severe threat in the upcoming year.
