Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say the actual number of these servers is much more.
"With our limited amount of machines, we found more than 300 dropzones, and we covered only two families of banking Trojans. In total, there are presumably many more," says Thorsten Holz, one of the researchers and a founder of the German Honeypot Project. The researchers were studying what they call "impersonation attacks," where victims' credentials are stolen so that the attacker can impersonate them.
The researchers basically traced the steps of specific keyloggers and banking Trojans between April and October 2008. One-third of the machines infected by this data-stealing malware are in Russia or the U.S., according to the researchers. Overall, the 170,000 victims whose data they discovered in the dropzones were from 175 different countries.
They discovered a total of 10,775 bank account credentials, including passwords and bank account details that the victims would enter during a regular transaction. They also found more than 5,600 credit card accounts and tens of thousands of passwords for various sites.
Holz says he and his team accessed the dropzone servers in different ways, but is unable to provide any details for fear that the attackers would use that information to further lock down their servers. They automated the entire process, using honeypots to collect samples, and a sandbox system to do the analysis and monitor the dropzone server. "Very little human interaction is necessary in the process," he says.
"I think our study is unique in a sense that we cover so many dropzones and thus get a better overview of what criminals steal from infected machines. Many dropzones are small, but if there are hundreds of them, they still generate a lot of damage," Holz says.
The bad guys are raking in some big bucks, too, according to the researchers. An attacker using keyloggers for these attacks can earn several hundred dollars a day, according to the researchers, who have handed off their data to Australia's National Computer Emergency Response Team (AusCERT), which will contact the victims about their stolen data.
The full technical report can be found here (PDF).
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message