Researchers hijack control of Torpig botnet

Share this article:

A group of researchers at the University of California, Santa Barbara, have infiltrated the Torpig botnet, which was found to be in control of hundreds of thousands of computers that were volunteering gigabytes of sensitive information.

The eight researchers, who actually took over the botnet for 10 days by seizing its command-and-control (C&C) channel, observed 180,000 infections and recorded more than 70 gigabytes of harvested data before losing control. In a paper reporting the results of their work, the researchers said that at one point data was being uploaded to them every 20 minutes.

Torpig is an advanced piece of crimeware, typically associated with bank account and credit card theft, according to the researchers, who work in the university's Department of Computer Science. Torpig uses a C&C technique that has also been adapted by the Conficker botmasters. That is, each infected bot periodically generates a list of domains to contact. The first server that sends a valid C&C reply is considered genuine.

The researchers used information about the Torpig domain generation algorithm to quickly register domains that the infected bots would contact – before the bot herders did. Then, when provided a valid response, the infected bots accepted the researcher's servers as genuine.

Among their findings, the researchers learned that typical evaluations of botnet sizes, based on the count of distinct IPs, might be overestimated.

“We found that, in our case, the number of unique IPs was one order of magnitude larger than the actual number of infected hosts,” they wrote in the report.

They also said that the victims of botnets are generally users with poorly maintained machines. Victims invariably choose easily guessed passwords to protect access to sensitive sites.

“This is evidence that the malware problem is fundamentally a cultural problem,” they wrote. “Even though people are educated and understand concepts such as physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer.”

In addition, the researchers said that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a complicated process.

“However, a few simple rules of behavior imposed by the U.S. government would go a long way toward preventing malicious internet behavior,” they wrote. “Even though botnets are a global problem, the United States could effectively enforce rules of behavior that might make it harder for botmasters to use the nation's cyberinfrastructure with impunity.”

Share this article:

Sign up to our newsletters

More in News

Errors in ZeroLocker means paying ransom may not decrypt files

A piece of ransomware known as ZeroLocker contains various errors that may prevent files from being decrypted even if the ransom is paid.

Rogue AV scammers find success with new tatics

Although the number of rogue anti-virus malware campaigns have decreased overall, the threat isn't totally gone, according to researchers at Microsoft.

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.