Broadband News
News, views and analysis
University hijacks Torpig botnet, cracks 56,000 passwords in an hour
05 May 2009 | 17.43 Europe/London
Researchers from the University of California Santa Barbara (UCSB) have been able to infiltrate and hijack the Torpig botnet for ten days before they were locked out - and just published a paper on their findings. During their time in control the infamous botnet (also known as Sinowal) managed to steal 70 gigabytes of data from unknowing users and, in one hour, 56,000 passwords.
The Torpig malware's been around since at least 2006. It infiltrates PCs through "drive-by-download attacks," exploiting coding vulnerabilities in legitimate websites and forcing machines accessing them to download a rootkit. The rookit then weasels its way into a system so that it Torpig launches during system boot time, evading security programs by starting up before anti-virus software can become active.
The malware's designed to steal personal and financial data from the machines it infects and, as the researchers have shown, it is effective. In just ten days the USCB team managed to harvest the login credentials (both user names and passwords) of 8,310 accounts at over 400 financial institutions, including PayPal and Capital One. It's thought cyber-criminals could have made anywhere between $83,000 and $8.3 million manipulating this information.
The researchers were able to gain control of the Torpig network by targeting a weakness in the way its bots locate their commands and control servers. Before its originators managed to patch the hole, the UCSB team got the login credentials needed to break in to almost 300,000 online accounts. It says only needed to use "simple replacement rules" and a popular password cracker to do so, and that it retrieved a lot of confidential info thanks to vulnerabilities in browser password managers.
The UCSB research has shown more than financial details are at stake: privacy also goes out the window if your machine gets infected. Using keyword searches of the emails of Torpig victims (in a way reminiscent of how Google's Gmail uses contextual advertising) they were able to discern that, for example, 14% of Torpig victims are looking for jobs and 4% are looking for sex.
Ironically, "online security is a concern of the infected population (almost 10% of the messages mention phising, viruses, and spyware)," the report says. "But only a few people seem to suspect that they are using an infected machine. On the contrary, there is one who unwittingly announces that his computer has been fixed and the virus has gone." For the meanwhile, despite the UCSB team's success in infiltrating Torpig, it looks like the virus isn't going anywhere.
[ ars technica ]
The Torpig malware's been around since at least 2006. It infiltrates PCs through "drive-by-download attacks," exploiting coding vulnerabilities in legitimate websites and forcing machines accessing them to download a rootkit. The rookit then weasels its way into a system so that it Torpig launches during system boot time, evading security programs by starting up before anti-virus software can become active.
The malware's designed to steal personal and financial data from the machines it infects and, as the researchers have shown, it is effective. In just ten days the USCB team managed to harvest the login credentials (both user names and passwords) of 8,310 accounts at over 400 financial institutions, including PayPal and Capital One. It's thought cyber-criminals could have made anywhere between $83,000 and $8.3 million manipulating this information.
The researchers were able to gain control of the Torpig network by targeting a weakness in the way its bots locate their commands and control servers. Before its originators managed to patch the hole, the UCSB team got the login credentials needed to break in to almost 300,000 online accounts. It says only needed to use "simple replacement rules" and a popular password cracker to do so, and that it retrieved a lot of confidential info thanks to vulnerabilities in browser password managers.
The UCSB research has shown more than financial details are at stake: privacy also goes out the window if your machine gets infected. Using keyword searches of the emails of Torpig victims (in a way reminiscent of how Google's Gmail uses contextual advertising) they were able to discern that, for example, 14% of Torpig victims are looking for jobs and 4% are looking for sex.
Ironically, "online security is a concern of the infected population (almost 10% of the messages mention phising, viruses, and spyware)," the report says. "But only a few people seem to suspect that they are using an infected machine. On the contrary, there is one who unwittingly announces that his computer has been fixed and the virus has gone." For the meanwhile, despite the UCSB team's success in infiltrating Torpig, it looks like the virus isn't going anywhere.
[ ars technica ]