Researchers Take Over Dangerous Botnet
Computer scientists at the University of California-Santa Barbara expose details of infamous botnet known for stealing financial data after temporarily wresting control of it
A group of researchers at the University of California-Santa Barbara boldly hijacked a notorious botnet known for stealing financial information and discovered that the botnet is even more dangerous than had been thought.
Researchers at the University of California at Santa Barbara have published a report (PDF) that exposes details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it's stealing. The researchers seized control of the botnet for 10 days in late January, after which Torpig's operators reclaimed it.
More Security Insights
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Collective intelligence: Capitalizing on the crowd
- Informed CIO: SDN and Server Virtualization on a Collision Course
- Strategy: Building and Maintaining Database Access Control Permissions
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- How Cloud Facilitates an Agile Contact Center
"Torpig provided a unique opportunity to understand a live botnet. Most of the time, researchers only gain access to offline data, [such as] through a dropzone server that may be years old, while the data that we received was in real-time," says Brett Stone-Gross, one of the UCSB researchers.
While big-name botnets, like the former Storm, are best-known for their widespread spam runs and often dismissed as more of annoyance, it's the smaller, more stealthy botnets like Torpig that can pose real dangers. Torpig is a specialized mini-botnet -- a smaller and less conspicuous army that targets organizations and users to steal bank account information or other valuable personal information.
Torpig has been a hot subject for researchers for some time: RSA last October revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet's malware "may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," researchers say.
Torpig initially infects users via drive-by download attacks. Once a machine is infected, Torpig can unleash sneaky phishing attacks that generate phony but chillingly convincing-looking Web pages and forms that lure the user into giving up his credentials.
"These phishing attacks are very difficult to detect, even for attentive users. In fact, the injected content carefully reproduces the style and look-and-feel of the target Web site," the UCSD researchers wrote in their report. "Furthermore, the injection mechanism defies all phishing indicators included in modern browsers. For example, the SSL configuration appears correct, and so does the URL displayed in the address bar."
The Websites most commonly infected with Torpig? Pornography-oriented ones, Stone-Gross says.
The UCSB researchers say they wrested control of Torpig by turning the tables on the botnet's own advanced architecture: a system called domain flux, which rotates domain names, typically pointing to a single IP address. It's a distant cousin of fast-flux hosting, which uses a single domain name that maps to multiple IP addresses that rotate in a round-robin fashion to evade detection. "We registered the domain names before the infected machines were programmed to contact them. The botnet controllers had only registered a couple of the domains in advance," Stone-Gross says.
Stone-Gross and his colleagues then gained control of Torpig's C&C server (Mebroot has its own C&C server that can update the Torpig binary code). The botnet operators regained control of the botnet after Mebroot's controllers updated the Torpig binary. "As a result, the infected machines were redirected to different domains that we did not own," he says.
But the UCSB researchers were able to collect some 70 gigabytes of data during the 10 days they controlled the botnet, which they estimate was at about 182,914 machines. During that time, Torpig stole banking credentials of 8,310 accounts from more than 400 different financial institutions -- namely PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E-Trade (304), and Chase (217).
They also saw a large number of businesses with relatively small numbers of Torpig bots; 310 companies had 10 or fewer bots. But most of the bots were aimed at consumers. "The majority of victims are home users," Stone-Gross says.
Torpig also goes after browsing data of the victims for potential identity theft or other nefarious purposes, according to the researchers.
The researchers counted 1,660 different stolen credit and debit card accounts, 49 percent of which belonged to victims in the U.S., 12 percent from Italy, and 8 percent from Spain. Of the cards, 1,056 were Visa cards; 447, MasterCard; 81, American Express; 36, Maestro; and 24, Discover. In one case, the botnet stole 30 credit card numbers from a single victim, who turned out to be an agent for an at-home distributed call center.
"It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center's central database for order processing," according to the UCSB report.
Next: Are researchers tipping their hand?