Torpig Botnet Hijacked and Dissected 294
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
Re:uuh..yeah. (Score:5, Informative)
Although we could have sent a blank conguration le to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the malware on critical computer systems, such as a server in a hospital). We also did not send a conguration le with a different HTML injection server IP address for the same reasons. To notify the affected institutions and victims, we stored all the data that was sent to us, in accordance with Principle 2, and worked with ISPs and law enforcement agencies, including the United States Department of Defense (DoD) and FBI Cybercrime units, to assist us with this effort. This cooperation also led to the suspension of the current Torpig domains owned by the cyber criminals.
FTFA, they snaked a domain name they knew the botnet was going to use before the bad guys could, then just collected info sent to them by all the compromised systems.
The submission header and the body are encrypted using the Torpig encryption algorithm (base64 and XOR)
Torpig encryption algorithm: base64 and XOR. In contrast, Conficker uses all kinds of crypto (RC4, RSA, and MD-6 [sri.com]).
W
Re:Hacking is hacking isn't it? (Score:4, Informative)
Re:3 years? Pfffft. (Score:5, Informative)
Give him a CD with XP which includes SP3 and all patches up to now, and he should be good for some time.
Give him Linux, and he will be good for a looong time.
No mention of Windows as the target (Score:5, Informative)
What bothered me after reading this paper is nowhere does this paper come out and say that the infected machines are all running Windows, although this is strongly implied by the description of how the virus works. The reader is left to wonder whether machines other than Microsoft Windows were infected.
Instead, the paper leaves the impression that all computing has the same architectural vulnerabilities. I thought that was a surprising defect, sufficient to make me wonder what else isn't captured/stated/analyzed in the paper.
Re:Hacking is hacking isn't it? (Score:1, Informative)
First, define "hacking".
For your information, Linus Torvalds was and is a hacker. A REAL hacker, not one of those morons who ride on the coat tails of people like Torvalds, using a few half understood skills to wreak havoc on the int3rt00bz.
Without "hackers" you wouldn't have a computer, period.
Owning an automobile isn't illegal, nor is it illegal to understand how to hotwire a car. It isn't even illegal to hotwire a care, UNLESS you happen to be stealing the car.
Hacking, properly defined, is essential to computer science. Theft of data has no more to do with hacking than the theft of a car has to do with mechanical skills.
Re:3 years? Pfffft. (Score:2, Informative)
Re:How do I make such a CD? (Score:5, Informative)
In fact, try that even otherwise. Simply install to a Virtual Machine without internet access, then get the redistributable SP3 using your safe Linux distribution, then create a slipstreamed ISO inside your Virtual Machine and burn it in your Linux distribution if you can't have passthrough enabled in the virtual machine.
Never tried this myself (I use a Linux distro), but can't see why it shouldn't work, and it should be safe.
The wrong kind of comment ... (Score:3, Informative)
First of all, the whole exercise was cut short because the botnet admins updated the Mebroot toolkit, causing the researchers to loose contact. That happened before publication, ok? Secondly it shows that the easiest way to protect your botnet is to update Mebroot once a week (or sooner), and savvy botnet admins already knew that.
The big plus is that this research unequivocally points out MS Windows users' ability to write to the MBR and to modify executables as the main strategic access point. The general public didn't know that before. Now it does and it might decide that this is something that must be addressed. Either by switching to Linux or by more careful login management or by pounding the desk in Redmond and demanding a fix. Nothing else could have done that.
In addition it highlights the crucial importance of ISPs and registrars to respond immediately (and intelligently) to complaints of abuse. As the researchers point out, there is scope for streamlining and actually *using* existing procedures to terminate a registrar's accreditation. There may also be scope for legislation here in compelling any ISP or registrar to maintain a certain minimum capability for investigating abuse, and for instituting a legally binding maximum timespan between complaint and investigation. I would personally favour legislation to force those registrars and ISPs who do not have that capability out of business (or compel them to be taken over) within a year or so. That's something that would have been impossible to justify without this research.
So in short, the small disadvantage of alerting botnet admins to a vulnerability is far outweighed by the intelligence gathered. Intelligence that *must* be made public before it can be acted upon due to institutional torpor, stupidity, or tardiness.
Re:How do I make such a CD? (Score:4, Informative)
$59.00 Linksys router.
all done.