Sinowal injects its own code into the web pages shown in the user's browser so that it can
capture the relevant details when the browser user visits a page known to it. It is said to be able to recognize and react to the URLs of around 2700 international banks and providers of financial services. RSA say that precisely how it manages to infect systems cannot be traced. It is probably distributed via infected web sites, among other things such as MPack, a web-attack toolkit it exploited in mid-2007. Analyses by Kaspersky say it uses rootkit techniques in order to hide itself in a system, writing itself into the MBR of the hard disk so that it becomes active as soon as the computer is booted up.
RSA says the most remarkable feature of this trojan is that its authors have managed to maintain the communications infrastructure between the trojan and its database for as long as three years, registering several thousand domains to look after Sinowal's communications. Although the RSA report does not say so, the trojan probably uses what are known as fast-flux service networks.
The precise origin of Sinowal, and the identity of its present masters, can only be speculated on. It was originally thought to be operated by Russian criminals linked to the infamous Russian Business Network (RBN), but, since the infrastructure that supported the RBN is no longer in place, this is not now thought to be the case. RSA wants others to know the results of its observations, and says it has also informed the authorities responsible for investigating crime.