Slashdot Mirror


Torpig Botnet Hijacked and Dissected

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

9 of 294 comments (clear)

  1. uuh..yeah. by Anonymous Coward · · Score: 5, Interesting

    why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?

    1. Re:uuh..yeah. by Fwipp · · Score: 3, Interesting

      Obligatory car analogy: If you owned a rental car company, would you outfit your fleet with a self-destruct procedure that could be initiated remotely?

    2. Re:uuh..yeah. by RiotingPacifist · · Score: 3, Interesting

      Fine, use geo-IP to only uninfect computers that are in countries that:
      1) Aren't sue friendly (e.g not the US)
      2) Don't have any jurisdiction in your country (e.g not the US)

      --
      IranAir Flight 655 never forget!
    3. Re:uuh..yeah. by phantomcircuit · · Score: 4, Interesting

      Actually base64 and XOR is the obfuscation algorithm used for the configuration file. There is a separate encryption algorithm present that is entirely custom and which nobody has yet to break (although im guessing nobody has done a serious cryptanalysis either).

    4. Re:uuh..yeah. by asdf7890 · · Score: 3, Interesting

      Many would ignore such a message thinking it is yet another advertising scam. Those that would blindly follow the instructions are the ones who have so much crap on the machine from blindly following messages like this ("you may be infected, install SpamKillaBot now!!!!") in the first place that removing just one worm from their machine.

      The only way to make most listen and do something about their PC security is to actually break something, and that definitely would be a moral no-no. Even then, some would just revert their machine back to the rescue image, not bother with the WindowsUpdates just yet because it is going to take ages and all they want to do right now is quickyl check email, and it starts all over again.

    5. Re:uuh..yeah. by RiotingPacifist · · Score: 3, Interesting

      The injection normally happens on bank websites, I'd hope few would ignore a big scary message they saw when entering their bank details! Or they could inject it into ALL websites (the injection happens based on a whitelist of URLS) If they user got the warning at the top of EVERY page they viewed (Across all browsers), they'd soon get fed up and do something about it!

      --
      IranAir Flight 655 never forget!
  2. Suggested punishment by rossz · · Score: 4, Interesting

    How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.

    Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).

    --
    -- Will program for bandwidth
  3. Re:Hacking is hacking isn't it? by InfiniteLoopCounter · · Score: 3, Interesting

    Probably, but some well placed vigilante hacking could help the world. I mean if they have control how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it

    Unfortunately, that process would soon be usurped. There already is a class of malware called "rouge anti-virus" that gives false removal instructions, resulting in infection.

    Better would be to plug the holes, and plug them fast enough so that you can't drive the proverbial slow moving truck, carrying a payload of *wares, through them.

  4. Who's to say? by plover · · Score: 3, Interesting

    How about the reverse? If you are stupid enough to be hosting a botnet node, you are likely too stupid to know when an anti-botnet attack will affect your machine, nor are you likely to be able to identify such behavior as the cause of any damage to your machine.

    Nobody would ever find out. Places like the Geek Squad are populated with people who are instructed to turn stuff over for a profit rather than solve problems, so they won't look for evidence of the battle. They'll just reformat the machine and hand it back. Hackers like us on Slashdot are already probably secure against a lot of this crapware, so we'd never be "reverse-attacked."

    And who's to say which piece of malware caused the damage: the original trojan, or the anti-trojan? Even if it were traced down to the anti-trojan, what evidence would you have that it was sent by the researchers, and not by some anti-botnet-vigilante group?

    I bet these researchers could release an anti-trojan and get away with it completely. As long as they do it silently, the meddling kids never find out who did it.

    Even better: an alliance of anti-botnet researchers! To enter, you have to swear an oath to not rat out the other guys anti-botnet software. "We tried really really hard, but we couldn't figure out who sent it, sorry." No one would ever know.

    --
    John