Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torpig Botnet Hijacked and Dissected

Posted by timothy on from the why-would-you-want-to-get-rid-of-it dept.

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

20 of 294 comments (clear)

  1. uuh..yeah. by Anonymous Coward · · Score: 5, Interesting

    why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?

    1. Re:uuh..yeah. by Fwipp · · Score: 3, Interesting

      Obligatory car analogy: If you owned a rental car company, would you outfit your fleet with a self-destruct procedure that could be initiated remotely?

    2. Re:uuh..yeah. by navyjeff · · Score: 2, Interesting

      If you were watching a group that stole a fleet of cars, then figured out how to make keys for a bunch of their cars, would you pour sugar in the gas tanks after you were done joyriding to make sure they wouldn't be drivable again?

    3. Re:uuh..yeah. by RiotingPacifist · · Score: 3, Interesting

      Fine, use geo-IP to only uninfect computers that are in countries that:
      1) Aren't sue friendly (e.g not the US)
      2) Don't have any jurisdiction in your country (e.g not the US)

      --
      IranAir Flight 655 never forget!
    4. Re:uuh..yeah. by RiotingPacifist · · Score: 2, Interesting

      "If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

      Link the IP to a location, then only fix bots in computers that are in your country, this has the additional advantage that you become more secure while your enemies get weaker. Alternatively, and i know that the American's about may find this crazy, you could ask permission of other countries to take out their bots too (as it benefits you that the bot net is dead). Ideally you could come to an agreement that protects you from prosecution of the laws you break, probably in exchange for the logs or some other evidence your not abusing the privilege. Hell the agreement could well be between a private (research) company and various countries police departments, avoiding the need for much of the bureaucratic bullshit you get when governments sort stuff out.

      --
      IranAir Flight 655 never forget!
    5. Re:uuh..yeah. by phantomcircuit · · Score: 4, Interesting

      Actually base64 and XOR is the obfuscation algorithm used for the configuration file. There is a separate encryption algorithm present that is entirely custom and which nobody has yet to break (although im guessing nobody has done a serious cryptanalysis either).

    6. Re:uuh..yeah. by Insanity+Defense · · Score: 2, Interesting

      "If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

      I would assume that the computer hacking side of government security does have their own form of black ops? A building/fake business with an internet connection under a false name. Of course any such "fiddling" would not remove the black op connection to your government system but merely the botnet that would be likely to be found eventually.

    7. Re:uuh..yeah. by eiapoce · · Score: 1, Interesting

      I go as far as telling you that also the victims should be punished for leaving their machines wildly exposed to the botnet. Guess all of them they were running un-updated OS, without antivirus and/or firewall. Since it's obvious that these bots are used also in criminal attacks against other people (DDOS - Spamming - further botnet spreading) I don't see them as victims but more like accomplices.

      If you are not willing to learn how to safely use a computer you shouldn't have one, just stick to a iPhone or other toys (Internet tablets).

    8. Re:uuh..yeah. by asdf7890 · · Score: 3, Interesting

      Many would ignore such a message thinking it is yet another advertising scam. Those that would blindly follow the instructions are the ones who have so much crap on the machine from blindly following messages like this ("you may be infected, install SpamKillaBot now!!!!") in the first place that removing just one worm from their machine.

      The only way to make most listen and do something about their PC security is to actually break something, and that definitely would be a moral no-no. Even then, some would just revert their machine back to the rescue image, not bother with the WindowsUpdates just yet because it is going to take ages and all they want to do right now is quickyl check email, and it starts all over again.

    9. Re:uuh..yeah. by RiotingPacifist · · Score: 3, Interesting

      The injection normally happens on bank websites, I'd hope few would ignore a big scary message they saw when entering their bank details! Or they could inject it into ALL websites (the injection happens based on a whitelist of URLS) If they user got the warning at the top of EVERY page they viewed (Across all browsers), they'd soon get fed up and do something about it!

      --
      IranAir Flight 655 never forget!
    10. Re:uuh..yeah. by Zero__Kelvin · · Score: 2, Interesting

      "What occurred to me is that if there were an interest larger than government that could get Microsoft to change its ways and fix its stuff, it would be "big money." I wonder if big money has even considered this?"

      Yes, they have. It is called a security landscape. Banks calculate that it is cheaper to allow the fraud and compensate than implement security measures that would stop the problem. You can read more about this if you want to know.

      Disclaimer: I am not Bruce Schneier, nor do I play him on Slashdot.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. Suggested punishment by rossz · · Score: 4, Interesting

    How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.

    Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).

    --
    -- Will program for bandwidth
    1. Re:Suggested punishment by calmofthestorm · · Score: 2, Interesting

      Do that and I might start writing viri

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  3. Re:Hacking is hacking isn't it? by InfiniteLoopCounter · · Score: 3, Interesting

    Probably, but some well placed vigilante hacking could help the world. I mean if they have control how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it

    Unfortunately, that process would soon be usurped. There already is a class of malware called "rouge anti-virus" that gives false removal instructions, resulting in infection.

    Better would be to plug the holes, and plug them fast enough so that you can't drive the proverbial slow moving truck, carrying a payload of *wares, through them.

  4. Re:Hacking is hacking isn't it? by martin-boundary · · Score: 2, Interesting

    It IS a crime. If they had control access to the botnet, then for the duration of time that they had control, they were responsible for what the botnet did during that time. Think of it as timeshare cracking.

  5. Re:How do I make such a CD? by Anonymous Coward · · Score: 1, Interesting

    Google for slipstream, the method used for merging service packs into windows install discs.

  6. A better Torpig by rathaven · · Score: 2, Interesting


    random speculation

    So if you take the paradigms of open source and apply the benefits of free and open criticism of a project then the ultimate change of this paper should be a better Torpig. As such, I wonder how long it will be before some of the methods mentioned in the paper that made Torpig vulnerable to takeover will quietly disappear...

    Torpig will doubtless allow updates to itself - allowing for current C&C commands to take varied action for example. Updating the infected machines with code that is less resistant to domain flux and hence preventing the injection of other C&C servers may be something achievable. After the publishing of a paper like this I'd be unsurprised if the code was not already undergoing update and that some of the methods in the paper weren't already out of date.

    Then again, I do wonder if publishing this at this time is due to the botnet already having moved on and therefore the techniques not longer available. Publishing may otherwise be a little irresponsible if the agencies involved on the article are still using the techniques mentioned.

    Then again, there are multiple other reasons for publishing this.

    /random speculation

  7. Re:How do I make such a CD? by Anonymous Coward · · Score: 1, Interesting

    With difficulty because the recovery disks likely won't work in a virtual machine due to vendor lock-ins. If they did work in a virtual macchine then you could install windows in linux to run nLite and slipstream the service pack.

    Alternatively you could do some frippery with hiding the laptop behind the linux box but that would need two network connections on the linux box.

    3rd option might be to use Wine to slipstream a service pack but that would rely on Wine being able to run the service pack installer in slipstream mode.

  8. Who's to say? by plover · · Score: 3, Interesting

    How about the reverse? If you are stupid enough to be hosting a botnet node, you are likely too stupid to know when an anti-botnet attack will affect your machine, nor are you likely to be able to identify such behavior as the cause of any damage to your machine.

    Nobody would ever find out. Places like the Geek Squad are populated with people who are instructed to turn stuff over for a profit rather than solve problems, so they won't look for evidence of the battle. They'll just reformat the machine and hand it back. Hackers like us on Slashdot are already probably secure against a lot of this crapware, so we'd never be "reverse-attacked."

    And who's to say which piece of malware caused the damage: the original trojan, or the anti-trojan? Even if it were traced down to the anti-trojan, what evidence would you have that it was sent by the researchers, and not by some anti-botnet-vigilante group?

    I bet these researchers could release an anti-trojan and get away with it completely. As long as they do it silently, the meddling kids never find out who did it.

    Even better: an alliance of anti-botnet researchers! To enter, you have to swear an oath to not rat out the other guys anti-botnet software. "We tried really really hard, but we couldn't figure out who sent it, sorry." No one would ever know.

    --
    John
    1. Re:Who's to say? by plover · · Score: 2, Interesting

      How about me, being a government that isn't looking favorable at the US, setting up an infected machine, monitoring the access and using it as a PR stunt should the US "invade" their computers?

      Playing host to hundreds of "vigilante patriot Chinese hackers" doesn't seem to have hurt the Chinese' ability to access the net, has it?

      Besides, my point was it's all about deniability. "Sorry, we're the U.S. Government. We don't know who silently fixed your DAMNED VIRUS LADEN UNPATCHED TURD OF A SERVER. Rest assured, we have our top people looking at it. Top people. But anyway, it wasn't us."

      --
      John