Feeds

Botnet hijacking reveals 70GB of stolen data

Torpig uncovered

Security for virtualized datacentres

Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world's most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days.

During that time, Torpig bots stole more than 8,300 credentials used to login to 410 different financial institutions, according to the research team from the University of California at Santa Barbara. More than 21 percent of the accounts belonged to PayPal users. Overall, a total of almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

One of the secrets behind the unusually large haul is Torpig's ability to siphon credentials from a large number of computer programs. After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors. Because the software runs at such a low level, it is able to intercept passwords before they may be encrypted by secure sockets layer or other programs.

The researchers were able to hijack the botnet by exploiting weaknesses in the way it updates the master control channels used to send individual machines new instructions. So-called domain flux techniques periodically generate a large list of domain names infected machines are to report to. Typically, the botnet operators use only one address, and all the others are ignored.

The researchers infiltrated the network by registering one of the domains on the list and using it to seize control of the infected machines that reported to it. They were then able to monitor the botnet's behavior over the next 10 days, until the operators were able to regain control using a backdoor that was built in to each infected machine.

In all, the researchers counted more than 180,000 infected PCs that connected from 1.2 million IP addresses. The data underscores the importance of choosing the right methodology for determining the actual size of a botnet and, specifically, not equating the number of unique IP addresses with the number of zombies. "Taking this value as the botnet size would overestimate the actual size by an order of magnitude," they caution.

Torpig, which also goes by the names Sinowal and Anserin, is distributed through Mebroot, a rootkit that takes hold of a computer by rewriting the hard drive's master boot record. As a result, Mebroot is executed during the early stages of a PC's boot process, allowing it to bypass anti-virus and other security software.

By infiltrating Torpig, the researchers were able to become flies on the wall that could watch infected users as they unwittingly handed over sensitive login credentials. One victim, an agent for an at-home, distributed call center, transmitted no fewer than 30 credit card numbers, presumably belonging to customers, the researchers guessed.

The report (PDF) also documented an epidemic of lax password policy. Almost 28 percent of victims reused their passwords, it found. More than 40 percent of passwords could be guessed in 75 minutes or less using the popular John the Ripper password cracking program. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.