A group of researchers at the University of California-Santa Barbara boldly hijacked a notorious botnet known for stealing financial information and discovered that the botnet is even more dangerous than had been thought.

Researchers at the University of California at Santa Barbara have published a report (PDF) that exposes details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it's stealing. The researchers seized control of the botnet for 10 days in late January, after which Torpig's operators reclaimed it.

"Torpig provided a unique opportunity to understand a live botnet. Most of the time, researchers only gain access to offline data, [such as] through a dropzone server that may be years old, while the data that we received was in real-time," says Brett Stone-Gross, one of the UCSB researchers.

While big-name botnets, like the former Storm, are best-known for their widespread spam runs and often dismissed as more of annoyance, it's the smaller, more stealthy botnets like Torpig that can pose real dangers. Torpig is a specialized mini-botnet -- a smaller and less conspicuous army that targets organizations and users to steal bank account information or other valuable personal information.

Torpig has been a hot subject for researchers for some time: RSA last October revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet's malware "may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," researchers say.

Wresting Control
Torpig initially infects users via drive-by download attacks. Once a machine is infected, Torpig can unleash sneaky phishing attacks that generate phony but chillingly convincing-looking Web pages and forms that lure the user into giving up his credentials.

"These phishing attacks are very difficult to detect, even for attentive users. In fact, the injected content carefully reproduces the style and look-and-feel of the target Web site," the UCSD researchers wrote in their report. "Furthermore, the injection mechanism defies all phishing indicators included in modern browsers. For example, the SSL configuration appears correct, and so does the URL displayed in the address bar."

The Websites most commonly infected with Torpig? Pornography-oriented ones, Stone-Gross says.

The UCSB researchers say they wrested control of Torpig by turning the tables on the botnet's own advanced architecture: a system called domain flux, which rotates domain names, typically pointing to a single IP address. It's a distant cousin of fast-flux hosting, which uses a single domain name that maps to multiple IP addresses that rotate in a round-robin fashion to evade detection. "We registered the domain names before the infected machines were programmed to contact them. The botnet controllers had only registered a couple of the domains in advance," Stone-Gross says.

Stone-Gross and his colleagues then gained control of Torpig's C&C server (Mebroot has its own C&C server that can update the Torpig binary code). The botnet operators regained control of the botnet after Mebroot's controllers updated the Torpig binary. "As a result, the infected machines were redirected to different domains that we did not own," he says.

But the UCSB researchers were able to collect some 70 gigabytes of data during the 10 days they controlled the botnet, which they estimate was at about 182,914 machines. During that time, Torpig stole banking credentials of 8,310 accounts from more than 400 different financial institutions -- namely PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E-Trade (304), and Chase (217).

They also saw a large number of businesses with relatively small numbers of Torpig bots; 310 companies had 10 or fewer bots. But most of the bots were aimed at consumers. "The majority of victims are home users," Stone-Gross says.

Torpig also goes after browsing data of the victims for potential identity theft or other nefarious purposes, according to the researchers.

The researchers counted 1,660 different stolen credit and debit card accounts, 49 percent of which belonged to victims in the U.S., 12 percent from Italy, and 8 percent from Spain. Of the cards, 1,056 were Visa cards; 447, MasterCard; 81, American Express; 36, Maestro; and 24, Discover. In one case, the botnet stole 30 credit card numbers from a single victim, who turned out to be an agent for an at-home distributed call center.

"It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center's central database for order processing," according to the UCSB report.

Next: Are researchers tipping their hand? But the researchers' disclosure of details about the botnet and its victims -- naming banks and describing some of the online interests of users victimized by the botnet based on their Webmail messages and online forum posts -- also stirred up debate about whether the researchers gave away too much information about Torpig that could compromise efforts to eventually take the botnet down.

"They definitely did their homework...[but] they have entered into the fray of the healthy debate over what should be disclosed and what should not be," says Sean Brady, senior manager, identity protection and verification for RSA. "This [research] does create a road map...for the [botnet] criminals to fix, and not just for others to exploit."

Among the findings by UCSD was that 38 percent of the credentials Torpig stole were taken from a browser's password manager, not by sniffing a login session.

The researchers found that most of the bots were poorly secured and poorly maintained machines using easily guessed passwords. Some characteristics of the English-speaking victims the researchers found when studying their online posts and Webmail messages: They seek jobs and submit resumes (14 percent of the messages), they are sports fans (6 percent); they study for exams and worry about grades (5 percent); they trade goods online (4 percent); and they look for sex or partners online (4 percent). Only a few of the victims suspected their machine was infected.

What makes the Torpig botnet so unique? "The level of sophistication, the amount of data that it is able to steal, and the fact that it has been active for more than three years is truly remarkable," Stone-Gross says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.