Torpig Botnet Hijacked and Dissected

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

Re:uuh..yeah.

[shentino]

Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.

Re:uuh..yeah.

[LackThereof]

why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?

Because that would be highly illegal. Just as illegal as creating the botnet in the first place. You can't just make modifications to 180,000 computers without their owners knowledge or consent.

Some governmental agency should man up and do it, though. Researchers have been hijacking botnets to study them for a while now, they almost have it down to a science. Someone in Homeland Security should just grow some balls and hire a team of professionals to hijack and destroy botnets.

Re:uuh..yeah.

[corsec67]

Some governmental agency should man up and do it, though. Researchers have been hijacking botnets to study them for a while now, they almost have it down to a science. Someone in Homeland Security should just grow some balls and hire a team of professionals to hijack and destroy botnets.

What is to keep that agency from just hijacking and *keeping* the botnet? Suddenly you have a government agency with a trojan installed on many computers.

Re:uuh..yeah.

[DragonDru]

I feel so conflicted. It is good they got enough information to tell law enforcement who the victims are, but I feel sad they did not do more to stop the botnet. However, there would be lawsuits if they had done more. Also, the bot masters now know exactly who was messing with their system (even their email addresses and their technique). Net effect, a botnet will go down slowly and some researches will get a *lot* of spam.

Re:uuh..yeah.

[Opportunist]

"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

Here's your reason why they don't.

3 years? Pfffft.

[Opportunist]

Take a machine. Install Windows XP SP1. Hook it to an unfiltered intenet access. Watch Sasser install. Mean time before infection: 30 seconds.

That nuisance is 5 years old and still running rampart. Now, far from being the threat that Torpig is, but it shows you just how hard it is to get rid of something. And unlike Torpig, it's not really "in use" anymore. Its maker is gone, it doesn't get any updates or new variants to faciliate infection. We're talking about the same old crapware that every single AV kit knows and removes by now. Worse, it's a threat that any halfway decently patched machine is not susceptible to.

And you want to get rid of Torpig?

Re:3 years? Pfffft.

[socsoc]

Let's say I reinstall XP SP1 and somehow MS manages to have included a nic driver for my card. I then need that Internet access to download AV from my uni, patches from MS, etc. How do you expect a consumer to have a machine fully patched prior to the initial network connection?

Re:3 years? Pfffft.

[Wingman+5]

Any form of firewall, even a basic NAT from a home router would be sufficient to protect you until you are up to date on patches

Re:3 years? Pfffft.

[socsoc]

Yes, consumers with their Dell OEM CD from seven years ago have easy access to slipstreamed SP3 CDs and know how to use Linux.

He'll be good until iTunes or some niche piece of software doesn't install and then he'll just be pissed at you.

We know better and we try to educate Joe Consumer, but Joe Consumer doesn't have our skills or knowledge, which was the point of my original post. The consumer is not to blame.

Re:3 years? Pfffft.

[value_added]

We know better and we try to educate Joe Consumer, but Joe Consumer doesn't have our skills or knowledge, which was the point of my original post. The consumer is not to blame.

Sorry, but the consumer is to blame. They may not, at the present time, have any legal obligations, and may not suffer any direct liabilities while remaining blissfully oblivious of the consequences of their actions or inactions, but we're free and justified for assessing the blame on them as we are on the malware authors as both share responsibility for their actions or omissions. To use a cliche, it always takes two to tango.

I don't care whether you're talking about a guy handing over money to an unscrupulous investor (or worse, trying to invest it themselves), someone doing home wiring without understanding electricity or codes, someone driving a car who ignores the relationship between speed and stopping distances, or someone who bought a product that doesn't do work as well as it was advertised, the blame rests ultimately with the individual who fucked up. That should come as no surprise given that individuals who do fuck rarely need encouragement or a convincing argument to admit they fucked up.

The standard here is one of reasonableness.

Is it reasonable to assume that computers are complex beasts and that malware is problem? Yes. The former is self evident and the latter is a also truism that can be cited by most Windows users or gleaned from the local news by everyone else. Then WTF is Joe Average doing trying to install an operating system? Or manage it? He has lots of alternatives including hiring the kid down the block or taking it the local shop.

Is it reasonable to assume that Macs are also complicated but Mac users can do without requisite knowledge or skill? Yes. The reasons for that are as numerous as why Windows users continue to suffer problems.

You can go on about complexity and missing skillsets, but none of those justify anything. If you're trying to comfort those who fucked up, you're doing them a disservice. If you're conceding that the battle is lost and ha ha this is the way things are and always will be, then you're being irresponsible and contributing nothing to the discussion or solution.

Personally, I'd go so far as to say that anyone who trots out the "poor user" argument (usually in combination with the "Everyone is using Windows so everyone is doing it, too!" argument) is they participate in extending the current state of affairs and are therefore part of the problem.

Why pay lip service to user education advocacy when responsibility and blame are pre-requisites? Start blaming. Blame everyone involved, but don't skip the person ultimately responsible. We'll all be better off for it.

Re:3 years? Pfffft.

[Zumbs]

You're right, relying on the user for basic security is a pretty stupid security strategy in todays world, where many computer users are functionally illiterate. When it comes to setting up a new computer, I usually download an up-to-date firewall and anti-virus program before reinstalling Windows, and install these programs before connecting to MS Update. If Joe is able to install an OS on his own, Joe should be able to figure out how to install a firewall and anti-virus programs.

Re:3 years? Pfffft.

[Opportunist]

I have used many selfmade CDs of XP, all of them legitimate.

Say about MS what you want, but they got one thing straight that many other manufacturers of software seem to forget all to easily: Whether it's legal depends on your license. Not your medium.

So they committed a felony?

[phantomcircuit]

Let me get this straight. They took over a botnet, which consists of computers they are unauthorized to access. Not only did they commit a felony but then they wrote a paper about it?

The reason that nobody else has done this before is not because they are incapable of doing it. The reason nobody has done this before is because it is illegal

Re:So they committed a felony?

[SydShamino]

No, they purchased a domain name, set up servers to accept data sent to that domain, then collected that data. That their research had told them that the domain would be used by the botnet is incidental. If you mail your credit-card information to my domain, I haven't committed any crime if I accept it and turn it over to the authorities.

Re:So they committed a felony?

[QuantumG]

Umm.. no, they deliberately sent a message that said "send me the confidential information you have collected". There isn't a court in the land that wouldn't convict these bozos. All they have to rely on is that the majority of people infected with this ancient malware are not going to go after them, cause they're too stupid to know they are infected.

Re:So they committed a felony?

[phantomcircuit]

For that to be even remotely true I would have to be able to do exactly the same thing.

Something tells me that if I was to go and setup a domain to receive information stolen from home computers which I did not originally infect that it would still be a crime.

Just because the FBI is not going to go after them for it does not make it either legal or moral.

Re:So they committed a felony?

[QuantumG]

That is probably true, if you live in the land of the anally retentives, who are incapable of understanding the spirit of the law, as opposed to the letter of the law.

Like, say, the USA?

Re:WTF?

[QuantumG]

Getting altruism out of people is hard enough at the best of times. Asking for altruism when the likely reward is getting arrested.. no.

How do I make such a CD?

[jonaskoelker]

Give him a CD with XP which includes SP3

I'm curious: how would I go about producing such a CD, without any of my boxes getting "sassered"?

I have: a Linux box. An OS-less laptop. Some XP recovery disks.

Re:Suggested punishment

[Kaboom13]

It's already illegal. We don't need to run around making new laws. The problem is law enforcement world wide does not care. Even if the perpetrators of a major botnet are in their grasp, they will do their best to ignore it. If it happens on the internet, that means it's an international problem. Which means it's not their problem. They are too busy busting 19 year olds trying to sleep with 17 year olds, and "drug busts" of people licensed and permitted by their state government to grow marijuana, and harassing random people with the same name as a suspected "terrorist". Has anyone seen the FBI actually even investigate an identity theft case? We aren't talking criminal masterminds here, most of them could be tracked down with minimal effort.

The only solution to crap like this will have to be technical. I suspect for the internet to survive, enforcement will have to come at the ISP level. Automated detection of botnets and ddos attacks in progress is possible. What should happen is when it's detected you are infected, your upload is heavily throttled, and you are contacted to correct it. Failure to do so results in suspension of service. ISPs that don't implement it should face having all their packets dropped by everyone else. It won't stop the latest and greatest, but years old botnets could easily be stopped. The potential for false positives will suck, as will the temptation for ISP's to abuse it, but currently theres several botnets out there that could easily take down critical infrastructure if they decide to ddos it.

Re:uuh..yeah.

[Swift2001]

We need the full weight of the law to come down on these creeps. How is this any better than a pickpocket, or a den of thieves? Answer, not at all. I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape. Stealing 10,000 credit cards warrants a life sentence, and governments must fund efforts to detect and arrest the people responsible. Plus, our banks and stores and so on must get smarter security.

Re:Snail Mail Analogy

[nacturation]

Another analogy is that it's like buying a house at the address 1234 Main Street, Anywhere, USA knowing that other people would try to deliver packages to your address with a "Dear Occupant" label. It's not illegal to open those at all.

Re:uuh..yeah.

[davester666]

But who do they know to sue?

If you're smart enough to hack into this botnet and make it do your bidding, your smart enough to not have commands sent to it traced back to you.

Re:uuh..yeah.

[Tenebrousedge]

Wow. The sentiment is unarguable, but the rest of your post is amazingly uninformed.

What is a den of thieves? Do thieves nest in the rafters of seedy pubs or something? Did anyone imply that credit card theft was "better" than some other kind of theft?

I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape.

Non sequitur. Also, the analogy is not appropriate: there is no physical harm being done.

...governments must fund efforts to detect and arrest the people responsible.

They do. Perhaps you can improve on that suggestion with some further content.

Plus, our banks and stores and so on must get smarter security.

Smarter than what? As long as they have massive amounts of valuable information, they are targets. However, that's not really the subject of TFA, which is the low-hanging fruit consisting of people using insecure browsers and operating systems. The people running Torpig didn't need to hack a bank, they just relied on people being idiots. Vista and Win7 may be steps towards a more secure desktop environment, but they're not a cure for the root issue: PEBKAC.

PEBKAC being ubiquitous, we should not expect a solution to the botnet issue any time soon. Just try and think of it as another idiot tax.

Re:Hacking is hacking isn't it?

[Insanity+Defense]

It IS a crime. If they had control access to the botnet, then for the duration of time that they had control, they were responsible for what the botnet did during that time. Think of it as timeshare cracking.

Perhaps not. If I understand it correctly they acquired the domain (legally) and their only "control" act was to send the proper response when queried to find if they were the "masters". They then accepted the stolen data (that might well be a crime in itself though). Beyond saying "We are the correct site to send to" they don't seem to have sent any commands. Other than being in receipt of stolen data I don't think they could really be said to have any criminal acts here.

Watching Sausage being made...

[xmundt]

Greetings and Salutations...
          I have to say that the level of misunderstanding exhibited by MOST of the folks posting to this thread boggles the mind. Considering the alleged level of IT sophistication of the readers of /., it is even more amazing.
          I read the researcher's report, and, I have to say that I found it a well-reasoned and interesting analysis of a terrible problem on the Internet. However, without following their methodology, I do not believe they could have been able to do any where close to this level of analysis. These researchers not only produced a fairly scholarly analysis of a nasty and persistent problem, but, apparently went out of their way to work with the governmental authorities charged with controlling these sorts of crimes. So...why all the calls for them to be drawn and quartered in the public square? Have none of you ever heard of the concept of studying your enemy on a deep level, so to find its weaknesses, and make it easier to destroy? And as a part of that how do you propose to GATHER that information, short of following procedures that these researchers used?
          There are only a few, small quibbles I have with the paper. While they do say that they took a number of steps to secure the private information that they gathered while researching this virus, I would feel much better about reality if there was some assurance that this data set had been destroyed at the end of the study. I realise that arguments can be made that information, once gathered, tends to exist forever (after all, can we be sure that no copies were made?). However, with sufficient audit trails of what happened to the data, and who accessed it, this is a minimal problem. Of course, if the folks whose data had been intercepted were, indeed, contacted and made aware of the breach of their privacy, the usefulness of this data would erode away quickly, as CC numbers/banking information/passwords/etc were changed.
          Also, it was unclear to me exactly how they attempted to contact the people whose information had been compromised. Mainly this is curiosity on my part, because most of the methods that spring to mind (Email, IM, etc), are exactly the sorts of communications that I tend to filter out and delete with out any further attention. I suppose that a phone call from a complete stranger would certainly be a wake-up call, though.
          As for their activities being "illegal", while perhaps technically true, It is more a problem with the way the laws are written, rather than with their activities. Most folks do not understand that applying the law to a bad situation is akin to using a 20 lb sledgehammer to swat a mosquito. it is not a precision instrument. That is one of the many reasons that the justice system in America has avenues for appealing a case through several levels of juries and judges. The hope is that with enough people looking at it, a sane interpretation of the law will take root. Most of the current laws dealing with computer access and IT these days DO make security research difficult and problimatical, as their wording exposes even legitimate researchers to criminal charges. That is a legislative problem, though, and, not a sign that serious researchers who are trying to understand a complex and interesting problem on the net are "Doing Evil".

          In short...if you like eating sausage, you should NEVER watch it being made.
          Dave Mundt
 

Interesting article

[golodh]

First I'd like to express my admiration and gratitude for the researchers who pulled this one off, and the poster. This is truly illuminating stuff which (to my knowledge) provides the first solid and high-quality information on botnets in the public domain.

It's quite probable that this information (and particularly the techniques used to hijack the botnets) are also new and valuable to law-enforcement agencies. Such agencies tend to be desperately short of intelligence (both kinds), under-equipped to do research, and usually operate in a purely reactive way ("show us the bodies and we'll investigate").

And yes, I think that the researchers did fine by hijacking a botnet in the first place and secondly by not destroying it but instead contacting law-enforcement agencies. Researchers are neither law enforcement officers nor sysadmins for the infected systems. They have their own work to do (which law-enforcement agencies could not or would not do, or the Torpig botnet would have been cleaned up long ago).

It is interesting to note that *all* of the infected machines seem to be MS Windows based. Even though many of the targeted clients (Firefox, Skype) also run on Linux machines. If I had to guess I'd say that under Linux the need to have root access to either modify the MBR or to write downloaded malware code to the targeted executables on disk provides an effective barrier to infection (provided you don't surf the net with root privileges of course).

Unfortunately the publication of this sort of research may lead botnet administrators and designers to address the authentification weakness the researchers exploited. Ah well, such is life.

Re:uuh..yeah.

[WhatAmIDoingHere]

They do. Perhaps you can improve on that suggestion with some further content.

Problem is that a lot of countries DON'T care about these kinds of crimes. Laws tend to have a hard time keeping up with technology.

Re:uuh..yeah.

[mh1997]

I go as far as telling you that also the victims should be punished for leaving their machines wildly exposed to the botnet. Guess all of them they were running un-updated OS, without antivirus and/or firewall. Since it's obvious that these bots are used also in criminal attacks against other people (DDOS - Spamming - further botnet spreading) I don't see them as victims but more like accomplices.

If you are not willing to learn how to safely use a computer you shouldn't have one, just stick to a iPhone or other toys (Internet tablets).

Let's not limit this to computers. If someone breaks into your house or steals your car, cell phone, credit card, etc. then you should be responsible for all crimes committed by the thief. You are not just a victim, you are an accomplice. If you cannot reasonably protect yourself from physical theft by learning martial arts and proper use of firearms/weapons, you should just stick to...computers?

Computers and the internet are sold as toys and a convenient way to handle business transactions for the common person. The common person has a reasonable expectation that upon opening the box, his computer and his personal data will be reasonably secure. If the OEMs can't provide that level of security, or that level of security can only be achieved by a certain amount of training, then they should put a giant disclaimer on the splash screen stating that any and all data put on that computer will likely be stolen and that the computer will probably be taken over by theives for crimminal activities.

Re:uuh..yeah.

[Bogtha]

Let's not limit this to computers. If someone breaks into your house or steals your car, cell phone, credit card, etc. then you should be responsible for all crimes committed by the thief. You are not just a victim, you are an accomplice. If you cannot reasonably protect yourself from physical theft by learning martial arts and proper use of firearms/weapons, you should just stick to...computers?

You've latched onto the wrong thing here. The key is not that you should be responsible to avoid becoming a victim, the key is that you should be responsible for the equipment you are operating causing harm to others. The analogous situation would be driving an unmaintained car. For instance, here in the UK, cars must undergo an MOT every year to determine that they are safe for the road. If a car owner skips their MOT and is involved in an accident, they are in big trouble. In addition, before driving that car, the person must show themselves to be capable of operating it with a degree of skill that is reasonable to avoid harm to others. To turn this back around, the analogous situation with computers would be a course before people are allowed onto the Internet to teach people not to run random executables etc., and a requirement to install all available security patches as part of their ongoing maintenance.

Re:Hacking is hacking isn't it?

[David+Chappell]

It IS a crime. If they had control access to the botnet, then for the duration of time that they had control, they were responsible for what the botnet did during that time. Think of it as timeshare cracking.

I think you are confusing two similiar ideas. The ability to control and responsibility are two different things.

It would only be a crime if they did control it and command it to commit a crime. It is not a crime to be able to commit a crime.

Here is an illustration. Imagine that a criminal organization mistakenly gives its operatives your phone number and tell them to call it once a week, report their progress, and ask for new orders. You start receiving calls that go something like this:

Caller: I am John Smith. I stole 10 televisions. I have stashed them at 123 Main Street, Anytown. Do you have new orders for me? (You write this down and pass it on to the police.)

You: No, no new orders. Goodbye.

The case here is a little different, but not much. It is as if the researchers noticed that the criminals had been told to start using a new telephone number next month and managed to get it assigned to themselves because they were currious about what the criminals were up to.

Re:uuh..yeah.

[Zero__Kelvin]

"The analogous situation would be driving an unmaintained car."

Not quite. The analogy is that you drive an unmaintained car, after being sold that car with assurance that it requires zero maintenance and "just works", when the car manufacturer knows damn well that it will never work properly and is almost certain to get broken into and driven by others at will from time to time. Good try though.

Re:Hacking is hacking isn't it?

[Zero__Kelvin]

"Usage changes over time"

This is true, but falsely assumes that incorrect use becomes correct over time. It doesn't matter how many rappers use the word "minute" to mean a long time, it is 60 seconds long and they are not using the word correctly. 90% of the population misusing a word doesn't make the use correct automagically. There is a reason why "aint" aint a word ;-)

Re:uuh..yeah.

[X0563511]

I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape.

Non sequitur. Also, the analogy is not appropriate: there is no physical harm being done.

You could argue that no physical harm is being done in either case*. Most (if not all) harm is psychological. Assuming another crime is not commited at the same time (assault the victim is not rape. They just happened at the same time).

* STDs make this a bit more confusing. Until STD infection is a crime in and of itself, it will continue to complicate it.

Re:uuh..yeah.

[Anenome]

This is where we need hackers with a 'license to kill... botnets'. Something like 007 for the digital age. The idea that killing a botnet can get you convicted of something is so ludicrous. The damage imposed by killing a botnet is miniscule compared to leaving the botnet open to prey on wider society. Where's the white hackers with a set of balls on 'em? Excuses, excuses, let's see action.

Re:uuh..yeah.

[lennier]

"DoD doesn't need a botnet of worm-riddled, broadband connected civilian computers."

They also don't need to smuggle drugs and arms to insurgents, pay dodgy informers to tell them lies, and invade countries on false pretences... yet they do.