In a nut shell, here is what happened the past few days.
During a presentation/demonstration of HitmanPro on Wednesday afternoon we visited the NU.nl website (www.nu.nl) to explain our UTM ad blocking technology. With millions of visitors each day, NU.nl is one of the most visited websites in The Netherlands. During this demonstration, the website tried to infect us (and all its other visitors) with malware. Our security engineers investigated the infection and it turned out that an exploit on NU.nl was silently installing the Sinowal banking trojan on computers of its visitors. Cybercriminals had somehow been able to steal the login credentials of the CMS. We first informed NU.nl so they could remove the exploit from their web site and prevent further infections.
Security specialist Fox-IT (www.foxit.nl) estimated that over 100,000 computers in The Netherlands were infected with the malware. The cybercriminals released the exploit during lunch hours, which is a peak time for the popular NU.nl news site.
The malware was a new advanced variant of the Sinowal banking trojan that infects the Master Boot Record (MBR), and was able to deceive all known anti-virus programs (including HitmanPro, we have to admit). Since no solution existed, the HitmanPro development team worked around the clock to release an emergency update of HitmanPro on Thursday morning, to remediate infected computers.
Cleaning an infected MBR from within a compromised computer is a complex task by itself, but is not uncommon for HitmanPro.
Although this attack is now contained, we fear that this is not the end. The people behind this attack have not been caught and more of these sophisticated targeted attacks will follow.