Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/4/2009
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Take Over Dangerous Botnet

Computer scientists at the University of California-Santa Barbara expose details of infamous botnet known for stealing financial data after temporarily wresting control of it

A group of researchers at the University of California-Santa Barbara boldly hijacked a notorious botnet known for stealing financial information and discovered that the botnet is even more dangerous than had been thought.

Researchers at the University of California at Santa Barbara have published a report (PDF) that exposes details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it's stealing. The researchers seized control of the botnet for 10 days in late January, after which Torpig's operators reclaimed it.

"Torpig provided a unique opportunity to understand a live botnet. Most of the time, researchers only gain access to offline data, [such as] through a dropzone server that may be years old, while the data that we received was in real-time," says Brett Stone-Gross, one of the UCSB researchers.

While big-name botnets, like the former Storm, are best-known for their widespread spam runs and often dismissed as more of annoyance, it's the smaller, more stealthy botnets like Torpig that can pose real dangers. Torpig is a specialized mini-botnet -- a smaller and less conspicuous army that targets organizations and users to steal bank account information or other valuable personal information.

Torpig has been a hot subject for researchers for some time: RSA last October revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet's malware "may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," researchers say.

Wresting Control
Torpig initially infects users via drive-by download attacks. Once a machine is infected, Torpig can unleash sneaky phishing attacks that generate phony but chillingly convincing-looking Web pages and forms that lure the user into giving up his credentials.

"These phishing attacks are very difficult to detect, even for attentive users. In fact, the injected content carefully reproduces the style and look-and-feel of the target Web site," the UCSD researchers wrote in their report. "Furthermore, the injection mechanism defies all phishing indicators included in modern browsers. For example, the SSL configuration appears correct, and so does the URL displayed in the address bar."

The Websites most commonly infected with Torpig? Pornography-oriented ones, Stone-Gross says.

The UCSB researchers say they wrested control of Torpig by turning the tables on the botnet's own advanced architecture: a system called domain flux, which rotates domain names, typically pointing to a single IP address. It's a distant cousin of fast-flux hosting, which uses a single domain name that maps to multiple IP addresses that rotate in a round-robin fashion to evade detection. "We registered the domain names before the infected machines were programmed to contact them. The botnet controllers had only registered a couple of the domains in advance," Stone-Gross says.

Stone-Gross and his colleagues then gained control of Torpig's C&C server (Mebroot has its own C&C server that can update the Torpig binary code). The botnet operators regained control of the botnet after Mebroot's controllers updated the Torpig binary. "As a result, the infected machines were redirected to different domains that we did not own," he says.

But the UCSB researchers were able to collect some 70 gigabytes of data during the 10 days they controlled the botnet, which they estimate was at about 182,914 machines. During that time, Torpig stole banking credentials of 8,310 accounts from more than 400 different financial institutions -- namely PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E-Trade (304), and Chase (217).

They also saw a large number of businesses with relatively small numbers of Torpig bots; 310 companies had 10 or fewer bots. But most of the bots were aimed at consumers. "The majority of victims are home users," Stone-Gross says.

Torpig also goes after browsing data of the victims for potential identity theft or other nefarious purposes, according to the researchers.

The researchers counted 1,660 different stolen credit and debit card accounts, 49 percent of which belonged to victims in the U.S., 12 percent from Italy, and 8 percent from Spain. Of the cards, 1,056 were Visa cards; 447, MasterCard; 81, American Express; 36, Maestro; and 24, Discover. In one case, the botnet stole 30 credit card numbers from a single victim, who turned out to be an agent for an at-home distributed call center.

"It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center's central database for order processing," according to the UCSB report.

Next: Are researchers tipping their hand? Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13623
PUBLISHED: 2019-07-17
In NSA Ghidra through 9.0.4, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis r...
CVE-2019-13624
PUBLISHED: 2019-07-17
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
CVE-2019-13625
PUBLISHED: 2019-07-17
NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.