Carnegie Mellon University


Torpig, also known as Sinowal or Anserin, is a Windows-affecting Trojan horse program that is designed to capture sensitive information, such as credit card data, passwords, and login locations from the victim's browsing activity. This infection is particularly dangerous because it targets personal and corporate financial information (accounts, credit cards, user logins) and can silently make computer users victims of Identity Theft.


The Torpig rootkit was originally developed in 2005, and it has evolved to evade detection by the host system and most antivirus and/or malware detection utilities. Torpig is a type of botnet, which is a network of infected computers commonly referred to as zombies. It uses another program called Mebroot to infect the system. This program allows Torpig to install itself in to a section of the computer's data storage device (Master Boot Record) such as the hard disk, so it can execute before the operating system is launched.  Then Torpig sets up communication with a command-and-control botnet via Hypertext Transfer Protocol (http), using names of processes that exist already on the victim's computer (e.g. services.exe). Torpig hides its files and encrypts its logs, making it hard for an antivirus program  or even a skilled user to detect the infection.  

The Torpig Trojan can be delivered in a variety of ways, and used to be attached to a phishing e-mail.  Recently the Trojan has been installed when users visit, but do not click on, a web page with a malicious banner ad. The users who succumb to Torpig have older versions of Adobe (Reader, Flash, Acrobat or Shockwave) and Java. The code behind the banner ad detects the old versions and redirects the browser to the Torpig download site. Most often, the user is completely unaware of the download. However, in order to install itself in the Master Boot record, the trojan will restart the computer. Therefore, if your computer restarts itself unexpectedly, and you happen to have an older version of Adobe or Java software, you should contact the Help Desk for assistance. Also if you notice that your machine has rebooted for some other reason than a Microsoft patch, you should contact your IT Support Provider.

Measures of Protection

To reduce the risk of getting infected with Torpig, please follow these seven protective measures:

  1. Visit the Qualys Browser Check site, even if you believe your computer is patched.  This site will check whether you have the latest, safe versions of Adobe Acrobat, Adobe Reader, Adobe Flash, and Sun Java and guide you through updating if needed.
  1. Avoid clicking on email attachments from people or groups you don't know. Visit Email security for more information.
  1. Keep all your Window machine patches up-to-date.
  1. Upgrade to the latest version of Internet Explorer if possible
  1. Update all Adobe programs to their latest versions. Adobe FlashAdobe Reader, Adobe Shockwave and Adobe Acrobat can all trigger this exploit.
  1. Make sure your anti virus is updated with the latest virus definitions and is running.
  1. Use a separate browser like Safari, Firefox or Chrome for casual browsing and internet shopping.  

The Information Security Office would like to know if you get the Torpig Trojan, especially if you process or access CMU restricted data on your office or home computer. Please contact or call our Hotline at 268-2044 and someone will get back to you.


References and Resources