Slashdot Mirror
Torpig Botnet Hijacked and Dissected
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
Although we could have sent a blank conguration le to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the malware on critical computer systems, such as a server in a hospital). We also did not send a conguration le with a different HTML injection server IP address for the same reasons. To notify the affected institutions and victims, we stored all the data that was sent to us, in accordance with Principle 2, and worked with ISPs and law enforcement agencies, including the United States Department of Defense (DoD) and FBI Cybercrime units, to assist us with this effort. This cooperation also led to the suspension of the current Torpig domains owned by the cyber criminals.
FTFA, they snaked a domain name they knew the botnet was going to use before the bad guys could, then just collected info sent to them by all the compromised systems.
The submission header and the body are encrypted using the Torpig encryption algorithm (base64 and XOR)
Torpig encryption algorithm: base64 and XOR. In contrast, Conficker uses all kinds of crypto (RC4, RSA, and MD-6).
W
-------------------
This is my SIG. There are many like it, but this one is mine.
The BBC got in trouble when they took control of a botnet for one of their technology shows: http://www.guardian.co.uk/technology/blog/2009/mar/12/bbc-botnet-legality-questioned. While this research was performed in the US, I think they must have broken a law somewhere. I don't see how grabbing personal info obtained illegally for the sake of research, even if they didn't infect the computers originally, makes it permissible under US law.
Give him a CD with XP which includes SP3 and all patches up to now, and he should be good for some time.
Give him Linux, and he will be good for a looong time.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
What bothered me after reading this paper is nowhere does this paper come out and say that the infected machines are all running Windows, although this is strongly implied by the description of how the virus works. The reader is left to wonder whether machines other than Microsoft Windows were infected.
Instead, the paper leaves the impression that all computing has the same architectural vulnerabilities. I thought that was a surprising defect, sufficient to make me wonder what else isn't captured/stated/analyzed in the paper.
If your recovery disks simply restore an image to the hard-drive, just install into a virtual machine, then download the the redistributable version of Windows XP SP3, then make an image of that and restore at your leisure.
In fact, try that even otherwise. Simply install to a Virtual Machine without internet access, then get the redistributable SP3 using your safe Linux distribution, then create a slipstreamed ISO inside your Virtual Machine and burn it in your Linux distribution if you can't have passthrough enabled in the virtual machine.
Never tried this myself (I use a Linux distro), but can't see why it shouldn't work, and it should be safe.
$59.00 Linksys router.
all done.
Do not look at laser with remaining good eye.