Torpig Botnet Hijacked and Dissected 294
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
uuh..yeah. (Score:5, Interesting)
why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?
Re:uuh..yeah. (Score:3, Interesting)
Suggested punishment (Score:5, Interesting)
How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.
Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).
Re:Hacking is hacking isn't it? (Score:3, Interesting)
Probably, but some well placed vigilante hacking could help the world. I mean if they have control how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it
Unfortunately, that process would soon be usurped. There already is a class of malware called "rouge anti-virus" that gives false removal instructions, resulting in infection.
Better would be to plug the holes, and plug them fast enough so that you can't drive the proverbial slow moving truck, carrying a payload of *wares, through them.
Re:uuh..yeah. (Score:2, Interesting)
Re:Hacking is hacking isn't it? (Score:3, Interesting)
Re:Suggested punishment (Score:3, Interesting)
Do that and I might start writing viri
Re:uuh..yeah. (Score:4, Interesting)
Fine, use geo-IP to only uninfect computers that are in countries that:
1) Aren't sue friendly (e.g not the US)
2) Don't have any jurisdiction in your country (e.g not the US)
Re:uuh..yeah. (Score:3, Interesting)
"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."
Link the IP to a location, then only fix bots in computers that are in your country, this has the additional advantage that you become more secure while your enemies get weaker. Alternatively, and i know that the American's about may find this crazy, you could ask permission of other countries to take out their bots too (as it benefits you that the bot net is dead). Ideally you could come to an agreement that protects you from prosecution of the laws you break, probably in exchange for the logs or some other evidence your not abusing the privilege. Hell the agreement could well be between a private (research) company and various countries police departments, avoiding the need for much of the bureaucratic bullshit you get when governments sort stuff out.
Re:uuh..yeah. (Score:5, Interesting)
Re:uuh..yeah. (Score:2, Interesting)
I would assume that the computer hacking side of government security does have their own form of black ops? A building/fake business with an internet connection under a false name. Of course any such "fiddling" would not remove the black op connection to your government system but merely the botnet that would be likely to be found eventually.
Re:uuh..yeah. (Score:1, Interesting)
I go as far as telling you that also the victims should be punished for leaving their machines wildly exposed to the botnet. Guess all of them they were running un-updated OS, without antivirus and/or firewall. Since it's obvious that these bots are used also in criminal attacks against other people (DDOS - Spamming - further botnet spreading) I don't see them as victims but more like accomplices.
If you are not willing to learn how to safely use a computer you shouldn't have one, just stick to a iPhone or other toys (Internet tablets).
Re:How do I make such a CD? (Score:1, Interesting)
Google for slipstream, the method used for merging service packs into windows install discs.
Re:uuh..yeah. (Score:3, Interesting)
Many would ignore such a message thinking it is yet another advertising scam. Those that would blindly follow the instructions are the ones who have so much crap on the machine from blindly following messages like this ("you may be infected, install SpamKillaBot now!!!!") in the first place that removing just one worm from their machine.
The only way to make most listen and do something about their PC security is to actually break something, and that definitely would be a moral no-no. Even then, some would just revert their machine back to the rescue image, not bother with the WindowsUpdates just yet because it is going to take ages and all they want to do right now is quickyl check email, and it starts all over again.
Re:uuh..yeah. (Score:4, Interesting)
The injection normally happens on bank websites, I'd hope few would ignore a big scary message they saw when entering their bank details! Or they could inject it into ALL websites (the injection happens based on a whitelist of URLS) If they user got the warning at the top of EVERY page they viewed (Across all browsers), they'd soon get fed up and do something about it!
A better Torpig (Score:2, Interesting)
random speculation
So if you take the paradigms of open source and apply the benefits of free and open criticism of a project then the ultimate change of this paper should be a better Torpig. As such, I wonder how long it will be before some of the methods mentioned in the paper that made Torpig vulnerable to takeover will quietly disappear...
Torpig will doubtless allow updates to itself - allowing for current C&C commands to take varied action for example. Updating the infected machines with code that is less resistant to domain flux and hence preventing the injection of other C&C servers may be something achievable. After the publishing of a paper like this I'd be unsurprised if the code was not already undergoing update and that some of the methods in the paper weren't already out of date.
Then again, I do wonder if publishing this at this time is due to the botnet already having moved on and therefore the techniques not longer available. Publishing may otherwise be a little irresponsible if the agencies involved on the article are still using the techniques mentioned.
Then again, there are multiple other reasons for publishing this.
Re:How do I make such a CD? (Score:1, Interesting)
With difficulty because the recovery disks likely won't work in a virtual machine due to vendor lock-ins. If they did work in a virtual macchine then you could install windows in linux to run nLite and slipstream the service pack.
Alternatively you could do some frippery with hiding the laptop behind the linux box but that would need two network connections on the linux box.
3rd option might be to use Wine to slipstream a service pack but that would rely on Wine being able to run the service pack installer in slipstream mode.
Who's to say? (Score:4, Interesting)
How about the reverse? If you are stupid enough to be hosting a botnet node, you are likely too stupid to know when an anti-botnet attack will affect your machine, nor are you likely to be able to identify such behavior as the cause of any damage to your machine.
Nobody would ever find out. Places like the Geek Squad are populated with people who are instructed to turn stuff over for a profit rather than solve problems, so they won't look for evidence of the battle. They'll just reformat the machine and hand it back. Hackers like us on Slashdot are already probably secure against a lot of this crapware, so we'd never be "reverse-attacked."
And who's to say which piece of malware caused the damage: the original trojan, or the anti-trojan? Even if it were traced down to the anti-trojan, what evidence would you have that it was sent by the researchers, and not by some anti-botnet-vigilante group?
I bet these researchers could release an anti-trojan and get away with it completely. As long as they do it silently, the meddling kids never find out who did it.
Even better: an alliance of anti-botnet researchers! To enter, you have to swear an oath to not rat out the other guys anti-botnet software. "We tried really really hard, but we couldn't figure out who sent it, sorry." No one would ever know.
Re:uuh..yeah. (Score:3, Interesting)
Yes, they have. It is called a security landscape. Banks calculate that it is cheaper to allow the fraud and compensate than implement security measures that would stop the problem. You can read more about this [amazon.com] if you want to know.
Disclaimer: I am not Bruce Schneier, nor do I play him on Slashdot.
Re:Who's to say? (Score:3, Interesting)
How about me, being a government that isn't looking favorable at the US, setting up an infected machine, monitoring the access and using it as a PR stunt should the US "invade" their computers?
Playing host to hundreds of "vigilante patriot Chinese hackers" doesn't seem to have hurt the Chinese' ability to access the net, has it?
Besides, my point was it's all about deniability. "Sorry, we're the U.S. Government. We don't know who silently fixed your DAMNED VIRUS LADEN UNPATCHED TURD OF A SERVER. Rest assured, we have our top people looking at it. Top people. But anyway, it wasn't us."