Botnet hijacking reveals 70GB of stolen data
Torpig uncovered
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world's most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days.
During that time, Torpig bots stole more than 8,300 credentials used to login to 410 different financial institutions, according to the research team from the University of California at Santa Barbara. More than 21 percent of the accounts belonged to PayPal users. Overall, a total of almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.
One of the secrets behind the unusually large haul is Torpig's ability to siphon credentials from a large number of computer programs. After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors. Because the software runs at such a low level, it is able to intercept passwords before they may be encrypted by secure sockets layer or other programs.
The researchers were able to hijack the botnet by exploiting weaknesses in the way it updates the master control channels used to send individual machines new instructions. So-called domain flux techniques periodically generate a large list of domain names infected machines are to report to. Typically, the botnet operators use only one address, and all the others are ignored.
The researchers infiltrated the network by registering one of the domains on the list and using it to seize control of the infected machines that reported to it. They were then able to monitor the botnet's behavior over the next 10 days, until the operators were able to regain control using a backdoor that was built in to each infected machine.
In all, the researchers counted more than 180,000 infected PCs that connected from 1.2 million IP addresses. The data underscores the importance of choosing the right methodology for determining the actual size of a botnet and, specifically, not equating the number of unique IP addresses with the number of zombies. "Taking this value as the botnet size would overestimate the actual size by an order of magnitude," they caution.
Torpig, which also goes by the names Sinowal and Anserin, is distributed through Mebroot, a rootkit that takes hold of a computer by rewriting the hard drive's master boot record. As a result, Mebroot is executed during the early stages of a PC's boot process, allowing it to bypass anti-virus and other security software.
By infiltrating Torpig, the researchers were able to become flies on the wall that could watch infected users as they unwittingly handed over sensitive login credentials. One victim, an agent for an at-home, distributed call center, transmitted no fewer than 30 credit card numbers, presumably belonging to customers, the researchers guessed.
The report (PDF) also documented an epidemic of lax password policy. Almost 28 percent of victims reused their passwords, it found. More than 40 percent of passwords could be guessed in 75 minutes or less using the popular John the Ripper password cracking program. ®
COMMENTS
KeePass
@AC 05/05/09:13:01
I can highly recommend KeePass for password management. I have recently started with it and as long as you have a secure enough master password you need never remember any other passwords again. I maybe preaching to the converted but this allows you to store your passwords in a secure file and to access the file you need the master password.
This has a couple of added benefits. One, you can create a different secure password for every website you visit without having to remember it. Two, you can avoid keyloggers by copying and pasting your password from KeePass to the password field.
I have encountered a few downsides. One is forgetting your master password. Two, saving your master password anywhere but your brain. That master password becomes super critical. Three, having to take KeePass with you when out and about on different machines. Four, if you are at a different machine that doesn't allow a portable USB device to be attached (for portable KeePass) you are a bit screwed.
Now, how do you get Joe Bloggs out on the street interested in this?
Passwords for the "real thick" III
Multiple passwords are easy if you adopt a "convention" for creating them. For websites, as an example, you can just use the first six letters of the domain interlaced with ascending numbers: e.g. t0h1e2r3e4g5 for The Register. This way, you have an easily remembered password that's both unique to each site and a complete bastard to crack in every case. Alternatively, you can use the domain name with vowels replaced with numbers, 1337-speak style, like this: th3r3g1st3r. I myself adopted a similar type of convention that I use everywhere I go.
For mobile phones, Blackberries, PDAs and such items, you can do a similar thing using the device's brand name: e.g. n0o1k2i3a4 or n0k1a.
However you do it, the important thing is to adopt a specific convention and stick with it (and don't reveal what convention you actually use to anyone, just as you wouldn't reveal a password!). That way, you only have to remember the convention, not the password.
Of course, this doesn't defend you against keyloggers any better than using "password" as your password everywhere, but having a different password for every website prevents any particular site's operators/hackers from getting an idea of what you sign in to other websites with.
Tat Bazaar
Wanna buy a cheap HD from the tat bazaar? How do you know it is not infected? How about that returned drive heavily discounted at the local computer store/front? Or the used PC "with XP Pro already installed"?!
Why don't the paranoid tote around Ironkeys or similar devices to help with the hundreds of passphrases we all seem to need? (well, OK, some of us do).
How about running a brouter with Ethereal to sniff the traffic and see who and what your PC is talking to? Wot? Too hard to dust off that worthless PC in the closet and pop in a couple of NICs and Linux?
Of course the botnets will flourish as long as net is infested with buffoons and ignoranti, at least that protects most people with even a hint of any sense. For now anyway.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
