Slashdot Mirror
Torpig Botnet Hijacked and Dissected
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?
I know what they did is good and all, but didn't they still commit a crime themselves?
no, maybe, oh I don't know. Why do I get all the hard questions?
Take a machine. Install Windows XP SP1. Hook it to an unfiltered intenet access. Watch Sasser install. Mean time before infection: 30 seconds.
That nuisance is 5 years old and still running rampart. Now, far from being the threat that Torpig is, but it shows you just how hard it is to get rid of something. And unlike Torpig, it's not really "in use" anymore. Its maker is gone, it doesn't get any updates or new variants to faciliate infection. We're talking about the same old crapware that every single AV kit knows and removes by now. Worse, it's a threat that any halfway decently patched machine is not susceptible to.
And you want to get rid of Torpig?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.
Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).
-- Will program for bandwidth
Let me get this straight. They took over a botnet, which consists of computers they are unauthorized to access. Not only did they commit a felony but then they wrote a paper about it?
The reason that nobody else has done this before is not because they are incapable of doing it. The reason nobody has done this before is because it is illegal
Isn't it time that US federal law requires all broadband operators to provide per-client client-configurable firewalls on their end of the last-mile by a date-certain that coincides with the current end of life on their equipment?
None of this would have been necessary if we had just stuck with X.25 and used X.PC instead of veering off into Vincent Cerf's private hell of TCP/IP and PPP. That it has taken 20 years (yeah, 20 years!) to figure out we need to add a firewall to the head-end routers is just totally unforgivable. At least now it can be done with a chip and remotely programmed by the Customer via the ISP's portal.
Indeed, they proved what it is complitely possible to hijack a huge botnet and destroy a big part of it. (Well, everything is possible and there is quite much variation between different botnets, but still...) The problem is that they also gained access to a huge supply of bank account, credit card numbers and such. This itself can be consider a huge crime, even if they weren't planning to use them themselves. Legally speaking, hijacking it didn't differ much from creating a botnet for yourself. Also hijacking a botnet ofcourse involves interracting with the infected computers, which is a crime. Morally speaking this all is acceptable and benificial for the public good. Yet, legally speaking it seems a bit suspicious activity. You can't always be certain that the goal of this kind of operation is as naive as this time. Well anyway, good job!
Is the whole notion of a hacker that acts on behalf of the "public good" by shutting these things down (i.e. gray hat) just a myth?
/.ers have ever engaged in trying to kill one of these things.
Yeah, it's probably technically illegal, but I thought there were folks out there doing it. I'd be interested to know if any
Speaking for myself... I haven't because of the technically illegal nature of the work (at least I think it'd be technically illegal). Plus, without ever doing it, I don't know enough about how to do it. Can't be that hard though. Why are these things allowed to exist?
Still, seems like a pretty cool thing to hack, and you're doing some good at the same time.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
oh yeah, expect half of the Sub-Continent, Asia and Eastern Europe to weigh in on how bad X.25 would have been for them (because it had distance-based pricing instead of sticking with the traditional toll-free, toll and pay-per-call model that served us for the previous 40 years). I mean, without TCP/IP and distance-free pricing/leeching/peering, those people would have continued on in their own islands. Projects run by the guy who spent 20 years being paid by a university (cushy job) before he snapped and turned communist would still have gotten out there, but never would have swept the planet and destroyed the IT economy and given very bad, uneducated, radical people access to technology that makes them more productive. (Of course, it will take the bankruptcy of Apple and Microsoft in under 10 years and another 20 years of stagnation under LINUX when there is nobody left to copy and "no reason to change" before the now 20-somethings figure out they were used like toilet paper by older, much smarter communists like RMS and his radicalized elements like Mr. Cathederal.) Someday, history will record their names where they belong. Someday.
What bothered me after reading this paper is nowhere does this paper come out and say that the infected machines are all running Windows, although this is strongly implied by the description of how the virus works. The reader is left to wonder whether machines other than Microsoft Windows were infected.
Instead, the paper leaves the impression that all computing has the same architectural vulnerabilities. I thought that was a surprising defect, sufficient to make me wonder what else isn't captured/stated/analyzed in the paper.
As said in the title it wasn't too long ago since the BBC did something similiar. However, I personally consider their purposes for this botnet a lot better than what we read here. First the BBC used this to make the common public aware of the dangers of their PC's being infected (and most of all: what might result from it).
But last and certainly not least they actually did shut the whole botnet down. Every single node got a massive warning about their PC being infected and that it should be cleaned up ASAP. And thats not what I'm reading here, therefor I consider this kind of abuse totally unacceptable.
This I feel is a good analogy to old fashioned snail mail.
A package gets delivered by mistake to your house, it is obviously intended (addressed) for someone else, but you open it anyway.
Regardless of whether the contents are legal or illegal (drugs, fake currency, or just a birthday card) etc., you are still comitting a crime by opening it. You'd be hard pressed to use the "I'm a researcher" defense on that one.
I mean, that implies that anyone intercepting a botnet's stolen data can simply claim "they didn't write it, they were just researching it".
Why does this sound like a cross between an Onion and Swine Flu?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
did they contact the owners of an infected PC in anyway to tell them their PC is infected?
Give him a CD with XP which includes SP3
I'm curious: how would I go about producing such a CD, without any of my boxes getting "sassered"?
I have: a Linux box. An OS-less laptop. Some XP recovery disks.
The reason nobody has done this before is because it is illegal
"The proper authorities are helpless against the criminal scum plaguing the Internet. I shall become become a costumed vigilante hacker, but I need a sign...wait was that a frigging BAT that just hit the basement window...? What the hell? Now, wait...where was I...Oh, yes, I need a sign. I HAVE IT! I SHALL BECOME GOATSEE MAN!"
Ok hacker nerds, here is your chance to live out the fantasy. You have the talents, become a heroic hacker vigilante. You can break into people's computers, fix systems, counter hack black hats, and claim that you are 'the bat'. Get to it.
HA! I just wasted some of your bandwidth with a frivolous sig!
Greetings and Salutations... /., it is even more amazing.
I have to say that the level of misunderstanding exhibited by MOST of the folks posting to this thread boggles the mind. Considering the alleged level of IT sophistication of the readers of
I read the researcher's report, and, I have to say that I found it a well-reasoned and interesting analysis of a terrible problem on the Internet. However, without following their methodology, I do not believe they could have been able to do any where close to this level of analysis. These researchers not only produced a fairly scholarly analysis of a nasty and persistent problem, but, apparently went out of their way to work with the governmental authorities charged with controlling these sorts of crimes. So...why all the calls for them to be drawn and quartered in the public square? Have none of you ever heard of the concept of studying your enemy on a deep level, so to find its weaknesses, and make it easier to destroy? And as a part of that how do you propose to GATHER that information, short of following procedures that these researchers used?
There are only a few, small quibbles I have with the paper. While they do say that they took a number of steps to secure the private information that they gathered while researching this virus, I would feel much better about reality if there was some assurance that this data set had been destroyed at the end of the study. I realise that arguments can be made that information, once gathered, tends to exist forever (after all, can we be sure that no copies were made?). However, with sufficient audit trails of what happened to the data, and who accessed it, this is a minimal problem. Of course, if the folks whose data had been intercepted were, indeed, contacted and made aware of the breach of their privacy, the usefulness of this data would erode away quickly, as CC numbers/banking information/passwords/etc were changed.
Also, it was unclear to me exactly how they attempted to contact the people whose information had been compromised. Mainly this is curiosity on my part, because most of the methods that spring to mind (Email, IM, etc), are exactly the sorts of communications that I tend to filter out and delete with out any further attention. I suppose that a phone call from a complete stranger would certainly be a wake-up call, though.
As for their activities being "illegal", while perhaps technically true, It is more a problem with the way the laws are written, rather than with their activities. Most folks do not understand that applying the law to a bad situation is akin to using a 20 lb sledgehammer to swat a mosquito. it is not a precision instrument. That is one of the many reasons that the justice system in America has avenues for appealing a case through several levels of juries and judges. The hope is that with enough people looking at it, a sane interpretation of the law will take root. Most of the current laws dealing with computer access and IT these days DO make security research difficult and problimatical, as their wording exposes even legitimate researchers to criminal charges. That is a legislative problem, though, and, not a sign that serious researchers who are trying to understand a complex and interesting problem on the net are "Doing Evil".
In short...if you like eating sausage, you should NEVER watch it being made.
Dave Mundt
YAB - http://blog.beemandave.com/
It's quite probable that this information (and particularly the techniques used to hijack the botnets) are also new and valuable to law-enforcement agencies. Such agencies tend to be desperately short of intelligence (both kinds), under-equipped to do research, and usually operate in a purely reactive way ("show us the bodies and we'll investigate").
And yes, I think that the researchers did fine by hijacking a botnet in the first place and secondly by not destroying it but instead contacting law-enforcement agencies. Researchers are neither law enforcement officers nor sysadmins for the infected systems. They have their own work to do (which law-enforcement agencies could not or would not do, or the Torpig botnet would have been cleaned up long ago).
It is interesting to note that *all* of the infected machines seem to be MS Windows based. Even though many of the targeted clients (Firefox, Skype) also run on Linux machines. If I had to guess I'd say that under Linux the need to have root access to either modify the MBR or to write downloaded malware code to the targeted executables on disk provides an effective barrier to infection (provided you don't surf the net with root privileges of course).
Unfortunately the publication of this sort of research may lead botnet administrators and designers to address the authentification weakness the researchers exploited. Ah well, such is life.
This research paper gives the botnet people some more ideas on where their weaknesses are.
It's like a security researcher turning up at the underground base of an evil tyrant and finding a way in then writing a publicly available paper on where his defenses are weak.
First of all, the whole exercise was cut short because the botnet admins updated the Mebroot toolkit, causing the researchers to loose contact. That happened before publication, ok? Secondly it shows that the easiest way to protect your botnet is to update Mebroot once a week (or sooner), and savvy botnet admins already knew that.
The big plus is that this research unequivocally points out MS Windows users' ability to write to the MBR and to modify executables as the main strategic access point. The general public didn't know that before. Now it does and it might decide that this is something that must be addressed. Either by switching to Linux or by more careful login management or by pounding the desk in Redmond and demanding a fix. Nothing else could have done that.
In addition it highlights the crucial importance of ISPs and registrars to respond immediately (and intelligently) to complaints of abuse. As the researchers point out, there is scope for streamlining and actually *using* existing procedures to terminate a registrar's accreditation. There may also be scope for legislation here in compelling any ISP or registrar to maintain a certain minimum capability for investigating abuse, and for instituting a legally binding maximum timespan between complaint and investigation. I would personally favour legislation to force those registrars and ISPs who do not have that capability out of business (or compel them to be taken over) within a year or so. That's something that would have been impossible to justify without this research.
So in short, the small disadvantage of alerting botnet admins to a vulnerability is far outweighed by the intelligence gathered. Intelligence that *must* be made public before it can be acted upon due to institutional torpor, stupidity, or tardiness.
Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.
Even if you don't screw up, the recipients of your favours will probably be outraged if they find out. If they've got a bot-ridden unpatched box connected to the net, they're quite likely to be assholes in other ways also.
To fight an asshole, you must be an asshole. The researchers should first provision a "legal fund" by milking the financial data they apparently recovered. Then launch lawsuits against the dummies whose PCs were participating in the botnet as accomplices to said financial crime (e.g. accuse them of attempting to defraud their financial institutions, etc.). Is there such a thing as a reverse-class-action lawsuit, where you can sue a whole class of assholes all at once?
Assholes should not be connected to the internet. Especially if they're exposing goatse-sized vulnerabilities.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
random speculation
So if you take the paradigms of open source and apply the benefits of free and open criticism of a project then the ultimate change of this paper should be a better Torpig. As such, I wonder how long it will be before some of the methods mentioned in the paper that made Torpig vulnerable to takeover will quietly disappear...
Torpig will doubtless allow updates to itself - allowing for current C&C commands to take varied action for example. Updating the infected machines with code that is less resistant to domain flux and hence preventing the injection of other C&C servers may be something achievable. After the publishing of a paper like this I'd be unsurprised if the code was not already undergoing update and that some of the methods in the paper weren't already out of date.
Then again, I do wonder if publishing this at this time is due to the botnet already having moved on and therefore the techniques not longer available. Publishing may otherwise be a little irresponsible if the agencies involved on the article are still using the techniques mentioned.
Then again, there are multiple other reasons for publishing this.
Until the OS is locked down, it will simply be replaced by a new bot. Computer owners MUST start taking responsibilities for their choices. If somebody's CC and retirement account is chosen because they chose an insecure OS, than let them live with it.
I prefer the "u" in honour as it seems to be missing these days.
If the un-updated machines are cesspools and pose a threat to the internet, then should they not be blocked?
The browsers identify themselves to some extent. Shouldnt websites detect these browsers and refuse to do business with them?
Should firefox, itunes and such refuse to install on machines that are not updated?
How about the reverse? If you are stupid enough to be hosting a botnet node, you are likely too stupid to know when an anti-botnet attack will affect your machine, nor are you likely to be able to identify such behavior as the cause of any damage to your machine.
Nobody would ever find out. Places like the Geek Squad are populated with people who are instructed to turn stuff over for a profit rather than solve problems, so they won't look for evidence of the battle. They'll just reformat the machine and hand it back. Hackers like us on Slashdot are already probably secure against a lot of this crapware, so we'd never be "reverse-attacked."
And who's to say which piece of malware caused the damage: the original trojan, or the anti-trojan? Even if it were traced down to the anti-trojan, what evidence would you have that it was sent by the researchers, and not by some anti-botnet-vigilante group?
I bet these researchers could release an anti-trojan and get away with it completely. As long as they do it silently, the meddling kids never find out who did it.
Even better: an alliance of anti-botnet researchers! To enter, you have to swear an oath to not rat out the other guys anti-botnet software. "We tried really really hard, but we couldn't figure out who sent it, sorry." No one would ever know.
John
to stealing 10k bank account numbers why aren't they in jail?
In all the articles and talk about trojans I never see any mention of the fact
that %99.9 of infected, spam producing and botted PC's are running some version
of MS windows. If every luser who ran bittorrent and keygen's on their windows
PC's switched to ubuntu tomorrow, the botnet problem would disappear overnight.
MS makes the barrier to entry for virus and trojan writers so low, that a 12 year-old
could have his own botnet with a couple of hours of internet time.
Yet I never see any talk of this.
Imagine a bank with the same security as MS windows. A bank robber could walk right
in to the safe wearing a mask of the bank manager's face, and the safe would open
by pressing a button which said 'Do not press if ur a bankrobber'.
Yet I see no talk of holding MS accountable for the security of its shitty software.
Maybe if they were made to pay the real cost of running windows, the #1 AV maker
would be MS.
This Sig does not Exist.
Raymansean fails to grasp the distinction between "responsibility" and "fault". The user has a responsibility to use his car in a manner that does not threaten people. He also has a responsibility to use his computer in a manner that poses no threat to his neighbors. Failure to operate his car in a safe manner gets a ticket, because he failed to meet his responsibilities. Failure to operate a computer in a safe manner should result in similar penalties, for the same reasons.
Stop whining, and making excuses. Failure to have all the required software at hand to do a SAFE installation of your operating system is a failure of responsibility, and your computer should be impounded, and you spend a night in jail for putting people around you at risk. Tell it to the judge, buddy, I don't want to hear it.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Something tells me that if I was to go and setup a domain to receive information stolen from home computers which I did not originally infect that it would still be a crime.
In my experience, Somethings are often unreliable. For example, Something once told me that ticking 1-2-3-4-5-6-7 on a lottery coupon would give me a massive payout. Something was unfortunately wrong, and I had a grand chat with Something afterwards, and told him that unless he got his facts straight I might even replace him with a different Something. The moral of the story is, don't trust Something with your life.
Just because the FBI is not going to go after them for it does not make it either legal
This is true. For example, just because the FBI does not go after people who buy milk does not make it legal to buy milk. It is on the contrary made legal on the virtue of not being illegal.
or moral.
As it happens, morality is an entirely different story. Are we talking Aristotlean ethics? In that case it is surely ethical, because doing what they did surely takes a lot of human ability. Are we talking the Categorical Imperative? Well, if everyone did what they did, the world would be better off rather than worse off, because noone were harmed and they highlighted an important problem.
Ask former Bush administration officials. Kidnap and torture suspected terrorists? Not our problem, they were captured in a failed state!
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
They do not remove the client from the infected machines because they are private. However, they didn't hesitate to crack individuals passwords. They even went so far as brute forcing over 40k of them? Are they trying to stop this problem or learn how to create a better botnet? Please don't bad Karma me. If I post a response that's on topic in a thread like this what do you want me to say... I love having my computer hijacked by feds and university students who crack my passwords for fun?
"I guess I'm gonna fade into Bolivian."
s/lude/lewd/g
Other than that, well done.
I prefer rogues to imbeciles because they sometimes take a rest.