Feeds

Botnet hijacking reveals 70GB of stolen data

Torpig uncovered

The Power of One eBook: Top reasons to choose HP BladeSystem

Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world's most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days.

During that time, Torpig bots stole more than 8,300 credentials used to login to 410 different financial institutions, according to the research team from the University of California at Santa Barbara. More than 21 percent of the accounts belonged to PayPal users. Overall, a total of almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

One of the secrets behind the unusually large haul is Torpig's ability to siphon credentials from a large number of computer programs. After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors. Because the software runs at such a low level, it is able to intercept passwords before they may be encrypted by secure sockets layer or other programs.

The researchers were able to hijack the botnet by exploiting weaknesses in the way it updates the master control channels used to send individual machines new instructions. So-called domain flux techniques periodically generate a large list of domain names infected machines are to report to. Typically, the botnet operators use only one address, and all the others are ignored.

The researchers infiltrated the network by registering one of the domains on the list and using it to seize control of the infected machines that reported to it. They were then able to monitor the botnet's behavior over the next 10 days, until the operators were able to regain control using a backdoor that was built in to each infected machine.

In all, the researchers counted more than 180,000 infected PCs that connected from 1.2 million IP addresses. The data underscores the importance of choosing the right methodology for determining the actual size of a botnet and, specifically, not equating the number of unique IP addresses with the number of zombies. "Taking this value as the botnet size would overestimate the actual size by an order of magnitude," they caution.

Torpig, which also goes by the names Sinowal and Anserin, is distributed through Mebroot, a rootkit that takes hold of a computer by rewriting the hard drive's master boot record. As a result, Mebroot is executed during the early stages of a PC's boot process, allowing it to bypass anti-virus and other security software.

By infiltrating Torpig, the researchers were able to become flies on the wall that could watch infected users as they unwittingly handed over sensitive login credentials. One victim, an agent for an at-home, distributed call center, transmitted no fewer than 30 credit card numbers, presumably belonging to customers, the researchers guessed.

The report (PDF) also documented an epidemic of lax password policy. Almost 28 percent of victims reused their passwords, it found. More than 40 percent of passwords could be guessed in 75 minutes or less using the popular John the Ripper password cracking program. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.