Slashdot Mirror
Torpig Botnet Hijacked and Dissected
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.
why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?
Because that would be highly illegal. Just as illegal as creating the botnet in the first place. You can't just make modifications to 180,000 computers without their owners knowledge or consent.
Some governmental agency should man up and do it, though. Researchers have been hijacking botnets to study them for a while now, they almost have it down to a science. Someone in Homeland Security should just grow some balls and hire a team of professionals to hijack and destroy botnets.
Legalize recreational marijuana. Seriously.
What is to keep that agency from just hijacking and *keeping* the botnet? Suddenly you have a government agency with a trojan installed on many computers.
If I have nothing to hide, don't search me
I feel so conflicted. It is good they got enough information to tell law enforcement who the victims are, but I feel sad they did not do more to stop the botnet. However, there would be lawsuits if they had done more. Also, the bot masters now know exactly who was messing with their system (even their email addresses and their technique). Net effect, a botnet will go down slowly and some researches will get a *lot* of spam.
20 characters max for the password? How will I use my favorite poems as passwords?
"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."
Here's your reason why they don't.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Take a machine. Install Windows XP SP1. Hook it to an unfiltered intenet access. Watch Sasser install. Mean time before infection: 30 seconds.
That nuisance is 5 years old and still running rampart. Now, far from being the threat that Torpig is, but it shows you just how hard it is to get rid of something. And unlike Torpig, it's not really "in use" anymore. Its maker is gone, it doesn't get any updates or new variants to faciliate infection. We're talking about the same old crapware that every single AV kit knows and removes by now. Worse, it's a threat that any halfway decently patched machine is not susceptible to.
And you want to get rid of Torpig?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, they purchased a domain name, set up servers to accept data sent to that domain, then collected that data. That their research had told them that the domain would be used by the botnet is incidental. If you mail your credit-card information to my domain, I haven't committed any crime if I accept it and turn it over to the authorities.
It doesn't hurt to be nice.
Getting altruism out of people is hard enough at the best of times. Asking for altruism when the likely reward is getting arrested.. no.
How we know is more important than what we know.
Give him a CD with XP which includes SP3
I'm curious: how would I go about producing such a CD, without any of my boxes getting "sassered"?
I have: a Linux box. An OS-less laptop. Some XP recovery disks.
It's already illegal. We don't need to run around making new laws. The problem is law enforcement world wide does not care. Even if the perpetrators of a major botnet are in their grasp, they will do their best to ignore it. If it happens on the internet, that means it's an international problem. Which means it's not their problem. They are too busy busting 19 year olds trying to sleep with 17 year olds, and "drug busts" of people licensed and permitted by their state government to grow marijuana, and harassing random people with the same name as a suspected "terrorist". Has anyone seen the FBI actually even investigate an identity theft case? We aren't talking criminal masterminds here, most of them could be tracked down with minimal effort.
The only solution to crap like this will have to be technical. I suspect for the internet to survive, enforcement will have to come at the ISP level. Automated detection of botnets and ddos attacks in progress is possible. What should happen is when it's detected you are infected, your upload is heavily throttled, and you are contacted to correct it. Failure to do so results in suspension of service. ISPs that don't implement it should face having all their packets dropped by everyone else. It won't stop the latest and greatest, but years old botnets could easily be stopped. The potential for false positives will suck, as will the temptation for ISP's to abuse it, but currently theres several botnets out there that could easily take down critical infrastructure if they decide to ddos it.
Another analogy is that it's like buying a house at the address 1234 Main Street, Anywhere, USA knowing that other people would try to deliver packages to your address with a "Dear Occupant" label. It's not illegal to open those at all.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Wow. The sentiment is unarguable, but the rest of your post is amazingly uninformed.
What is a den of thieves? Do thieves nest in the rafters of seedy pubs or something? Did anyone imply that credit card theft was "better" than some other kind of theft?
I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape.
Non sequitur. Also, the analogy is not appropriate: there is no physical harm being done.
...governments must fund efforts to detect and arrest the people responsible.
They do. Perhaps you can improve on that suggestion with some further content.
Plus, our banks and stores and so on must get smarter security.
Smarter than what? As long as they have massive amounts of valuable information, they are targets. However, that's not really the subject of TFA, which is the low-hanging fruit consisting of people using insecure browsers and operating systems. The people running Torpig didn't need to hack a bank, they just relied on people being idiots. Vista and Win7 may be steps towards a more secure desktop environment, but they're not a cure for the root issue: PEBKAC.
PEBKAC being ubiquitous, we should not expect a solution to the botnet issue any time soon. Just try and think of it as another idiot tax.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
They do. Perhaps you can improve on that suggestion with some further content.
Problem is that a lot of countries DON'T care about these kinds of crimes. Laws tend to have a hard time keeping up with technology.
Not a Twitter sockpuppet... but I wish I was.
Let's not limit this to computers. If someone breaks into your house or steals your car, cell phone, credit card, etc. then you should be responsible for all crimes committed by the thief. You are not just a victim, you are an accomplice. If you cannot reasonably protect yourself from physical theft by learning martial arts and proper use of firearms/weapons, you should just stick to...computers?
Computers and the internet are sold as toys and a convenient way to handle business transactions for the common person. The common person has a reasonable expectation that upon opening the box, his computer and his personal data will be reasonably secure. If the OEMs can't provide that level of security, or that level of security can only be achieved by a certain amount of training, then they should put a giant disclaimer on the splash screen stating that any and all data put on that computer will likely be stolen and that the computer will probably be taken over by theives for crimminal activities.
You've latched onto the wrong thing here. The key is not that you should be responsible to avoid becoming a victim, the key is that you should be responsible for the equipment you are operating causing harm to others. The analogous situation would be driving an unmaintained car. For instance, here in the UK, cars must undergo an MOT every year to determine that they are safe for the road. If a car owner skips their MOT and is involved in an accident, they are in big trouble. In addition, before driving that car, the person must show themselves to be capable of operating it with a degree of skill that is reasonable to avoid harm to others. To turn this back around, the analogous situation with computers would be a course before people are allowed onto the Internet to teach people not to run random executables etc., and a requirement to install all available security patches as part of their ongoing maintenance.
Bogtha Bogtha Bogtha