Researchers hijack control of Torpig botnet

Share this article:

A group of researchers at the University of California, Santa Barbara, have infiltrated the Torpig botnet, which was found to be in control of hundreds of thousands of computers that were volunteering gigabytes of sensitive information.

The eight researchers, who actually took over the botnet for 10 days by seizing its command-and-control (C&C) channel, observed 180,000 infections and recorded more than 70 gigabytes of harvested data before losing control. In a paper reporting the results of their work, the researchers said that at one point data was being uploaded to them every 20 minutes.

Torpig is an advanced piece of crimeware, typically associated with bank account and credit card theft, according to the researchers, who work in the university's Department of Computer Science. Torpig uses a C&C technique that has also been adapted by the Conficker botmasters. That is, each infected bot periodically generates a list of domains to contact. The first server that sends a valid C&C reply is considered genuine.

The researchers used information about the Torpig domain generation algorithm to quickly register domains that the infected bots would contact – before the bot herders did. Then, when provided a valid response, the infected bots accepted the researcher's servers as genuine.

Among their findings, the researchers learned that typical evaluations of botnet sizes, based on the count of distinct IPs, might be overestimated.

“We found that, in our case, the number of unique IPs was one order of magnitude larger than the actual number of infected hosts,” they wrote in the report.

They also said that the victims of botnets are generally users with poorly maintained machines. Victims invariably choose easily guessed passwords to protect access to sensitive sites.

“This is evidence that the malware problem is fundamentally a cultural problem,” they wrote. “Even though people are educated and understand concepts such as physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer.”

In addition, the researchers said that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a complicated process.

“However, a few simple rules of behavior imposed by the U.S. government would go a long way toward preventing malicious internet behavior,” they wrote. “Even though botnets are a global problem, the United States could effectively enforce rules of behavior that might make it harder for botmasters to use the nation's cyberinfrastructure with impunity.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.