Endpoint
5/4/2009
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Take Over Dangerous Botnet

Computer scientists at the University of California-Santa Barbara expose details of infamous botnet known for stealing financial data after temporarily wresting control of it

A group of researchers at the University of California-Santa Barbara boldly hijacked a notorious botnet known for stealing financial information and discovered that the botnet is even more dangerous than had been thought.

Researchers at the University of California at Santa Barbara have published a report (PDF) that exposes details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it's stealing. The researchers seized control of the botnet for 10 days in late January, after which Torpig's operators reclaimed it.

"Torpig provided a unique opportunity to understand a live botnet. Most of the time, researchers only gain access to offline data, [such as] through a dropzone server that may be years old, while the data that we received was in real-time," says Brett Stone-Gross, one of the UCSB researchers.

While big-name botnets, like the former Storm, are best-known for their widespread spam runs and often dismissed as more of annoyance, it's the smaller, more stealthy botnets like Torpig that can pose real dangers. Torpig is a specialized mini-botnet -- a smaller and less conspicuous army that targets organizations and users to steal bank account information or other valuable personal information.

Torpig has been a hot subject for researchers for some time: RSA last October revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet's malware "may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," researchers say.

Wresting Control
Torpig initially infects users via drive-by download attacks. Once a machine is infected, Torpig can unleash sneaky phishing attacks that generate phony but chillingly convincing-looking Web pages and forms that lure the user into giving up his credentials.

"These phishing attacks are very difficult to detect, even for attentive users. In fact, the injected content carefully reproduces the style and look-and-feel of the target Web site," the UCSD researchers wrote in their report. "Furthermore, the injection mechanism defies all phishing indicators included in modern browsers. For example, the SSL configuration appears correct, and so does the URL displayed in the address bar."

The Websites most commonly infected with Torpig? Pornography-oriented ones, Stone-Gross says.

The UCSB researchers say they wrested control of Torpig by turning the tables on the botnet's own advanced architecture: a system called domain flux, which rotates domain names, typically pointing to a single IP address. It's a distant cousin of fast-flux hosting, which uses a single domain name that maps to multiple IP addresses that rotate in a round-robin fashion to evade detection. "We registered the domain names before the infected machines were programmed to contact them. The botnet controllers had only registered a couple of the domains in advance," Stone-Gross says.

Stone-Gross and his colleagues then gained control of Torpig's C&C server (Mebroot has its own C&C server that can update the Torpig binary code). The botnet operators regained control of the botnet after Mebroot's controllers updated the Torpig binary. "As a result, the infected machines were redirected to different domains that we did not own," he says.

But the UCSB researchers were able to collect some 70 gigabytes of data during the 10 days they controlled the botnet, which they estimate was at about 182,914 machines. During that time, Torpig stole banking credentials of 8,310 accounts from more than 400 different financial institutions -- namely PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E-Trade (304), and Chase (217).

They also saw a large number of businesses with relatively small numbers of Torpig bots; 310 companies had 10 or fewer bots. But most of the bots were aimed at consumers. "The majority of victims are home users," Stone-Gross says.

Torpig also goes after browsing data of the victims for potential identity theft or other nefarious purposes, according to the researchers.

The researchers counted 1,660 different stolen credit and debit card accounts, 49 percent of which belonged to victims in the U.S., 12 percent from Italy, and 8 percent from Spain. Of the cards, 1,056 were Visa cards; 447, MasterCard; 81, American Express; 36, Maestro; and 24, Discover. In one case, the botnet stole 30 credit card numbers from a single victim, who turned out to be an agent for an at-home distributed call center.

"It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center's central database for order processing," according to the UCSB report.

Next: Are researchers tipping their hand? Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio