Slashdot Mirror
Torpig Botnet Hijacked and Dissected
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?
I know what they did is good and all, but didn't they still commit a crime themselves?
no, maybe, oh I don't know. Why do I get all the hard questions?
Take a machine. Install Windows XP SP1. Hook it to an unfiltered intenet access. Watch Sasser install. Mean time before infection: 30 seconds.
That nuisance is 5 years old and still running rampart. Now, far from being the threat that Torpig is, but it shows you just how hard it is to get rid of something. And unlike Torpig, it's not really "in use" anymore. Its maker is gone, it doesn't get any updates or new variants to faciliate infection. We're talking about the same old crapware that every single AV kit knows and removes by now. Worse, it's a threat that any halfway decently patched machine is not susceptible to.
And you want to get rid of Torpig?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.
Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).
-- Will program for bandwidth
Let me get this straight. They took over a botnet, which consists of computers they are unauthorized to access. Not only did they commit a felony but then they wrote a paper about it?
The reason that nobody else has done this before is not because they are incapable of doing it. The reason nobody has done this before is because it is illegal
Indeed, they proved what it is complitely possible to hijack a huge botnet and destroy a big part of it. (Well, everything is possible and there is quite much variation between different botnets, but still...) The problem is that they also gained access to a huge supply of bank account, credit card numbers and such. This itself can be consider a huge crime, even if they weren't planning to use them themselves. Legally speaking, hijacking it didn't differ much from creating a botnet for yourself. Also hijacking a botnet ofcourse involves interracting with the infected computers, which is a crime. Morally speaking this all is acceptable and benificial for the public good. Yet, legally speaking it seems a bit suspicious activity. You can't always be certain that the goal of this kind of operation is as naive as this time. Well anyway, good job!
Is the whole notion of a hacker that acts on behalf of the "public good" by shutting these things down (i.e. gray hat) just a myth?
/.ers have ever engaged in trying to kill one of these things.
Yeah, it's probably technically illegal, but I thought there were folks out there doing it. I'd be interested to know if any
Speaking for myself... I haven't because of the technically illegal nature of the work (at least I think it'd be technically illegal). Plus, without ever doing it, I don't know enough about how to do it. Can't be that hard though. Why are these things allowed to exist?
Still, seems like a pretty cool thing to hack, and you're doing some good at the same time.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
What bothered me after reading this paper is nowhere does this paper come out and say that the infected machines are all running Windows, although this is strongly implied by the description of how the virus works. The reader is left to wonder whether machines other than Microsoft Windows were infected.
Instead, the paper leaves the impression that all computing has the same architectural vulnerabilities. I thought that was a surprising defect, sufficient to make me wonder what else isn't captured/stated/analyzed in the paper.
This I feel is a good analogy to old fashioned snail mail.
A package gets delivered by mistake to your house, it is obviously intended (addressed) for someone else, but you open it anyway.
Regardless of whether the contents are legal or illegal (drugs, fake currency, or just a birthday card) etc., you are still comitting a crime by opening it. You'd be hard pressed to use the "I'm a researcher" defense on that one.
I mean, that implies that anyone intercepting a botnet's stolen data can simply claim "they didn't write it, they were just researching it".
Why does this sound like a cross between an Onion and Swine Flu?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Give him a CD with XP which includes SP3
I'm curious: how would I go about producing such a CD, without any of my boxes getting "sassered"?
I have: a Linux box. An OS-less laptop. Some XP recovery disks.
The reason nobody has done this before is because it is illegal
"The proper authorities are helpless against the criminal scum plaguing the Internet. I shall become become a costumed vigilante hacker, but I need a sign...wait was that a frigging BAT that just hit the basement window...? What the hell? Now, wait...where was I...Oh, yes, I need a sign. I HAVE IT! I SHALL BECOME GOATSEE MAN!"
Ok hacker nerds, here is your chance to live out the fantasy. You have the talents, become a heroic hacker vigilante. You can break into people's computers, fix systems, counter hack black hats, and claim that you are 'the bat'. Get to it.
HA! I just wasted some of your bandwidth with a frivolous sig!
Greetings and Salutations... /., it is even more amazing.
I have to say that the level of misunderstanding exhibited by MOST of the folks posting to this thread boggles the mind. Considering the alleged level of IT sophistication of the readers of
I read the researcher's report, and, I have to say that I found it a well-reasoned and interesting analysis of a terrible problem on the Internet. However, without following their methodology, I do not believe they could have been able to do any where close to this level of analysis. These researchers not only produced a fairly scholarly analysis of a nasty and persistent problem, but, apparently went out of their way to work with the governmental authorities charged with controlling these sorts of crimes. So...why all the calls for them to be drawn and quartered in the public square? Have none of you ever heard of the concept of studying your enemy on a deep level, so to find its weaknesses, and make it easier to destroy? And as a part of that how do you propose to GATHER that information, short of following procedures that these researchers used?
There are only a few, small quibbles I have with the paper. While they do say that they took a number of steps to secure the private information that they gathered while researching this virus, I would feel much better about reality if there was some assurance that this data set had been destroyed at the end of the study. I realise that arguments can be made that information, once gathered, tends to exist forever (after all, can we be sure that no copies were made?). However, with sufficient audit trails of what happened to the data, and who accessed it, this is a minimal problem. Of course, if the folks whose data had been intercepted were, indeed, contacted and made aware of the breach of their privacy, the usefulness of this data would erode away quickly, as CC numbers/banking information/passwords/etc were changed.
Also, it was unclear to me exactly how they attempted to contact the people whose information had been compromised. Mainly this is curiosity on my part, because most of the methods that spring to mind (Email, IM, etc), are exactly the sorts of communications that I tend to filter out and delete with out any further attention. I suppose that a phone call from a complete stranger would certainly be a wake-up call, though.
As for their activities being "illegal", while perhaps technically true, It is more a problem with the way the laws are written, rather than with their activities. Most folks do not understand that applying the law to a bad situation is akin to using a 20 lb sledgehammer to swat a mosquito. it is not a precision instrument. That is one of the many reasons that the justice system in America has avenues for appealing a case through several levels of juries and judges. The hope is that with enough people looking at it, a sane interpretation of the law will take root. Most of the current laws dealing with computer access and IT these days DO make security research difficult and problimatical, as their wording exposes even legitimate researchers to criminal charges. That is a legislative problem, though, and, not a sign that serious researchers who are trying to understand a complex and interesting problem on the net are "Doing Evil".
In short...if you like eating sausage, you should NEVER watch it being made.
Dave Mundt
YAB - http://blog.beemandave.com/
It's quite probable that this information (and particularly the techniques used to hijack the botnets) are also new and valuable to law-enforcement agencies. Such agencies tend to be desperately short of intelligence (both kinds), under-equipped to do research, and usually operate in a purely reactive way ("show us the bodies and we'll investigate").
And yes, I think that the researchers did fine by hijacking a botnet in the first place and secondly by not destroying it but instead contacting law-enforcement agencies. Researchers are neither law enforcement officers nor sysadmins for the infected systems. They have their own work to do (which law-enforcement agencies could not or would not do, or the Torpig botnet would have been cleaned up long ago).
It is interesting to note that *all* of the infected machines seem to be MS Windows based. Even though many of the targeted clients (Firefox, Skype) also run on Linux machines. If I had to guess I'd say that under Linux the need to have root access to either modify the MBR or to write downloaded malware code to the targeted executables on disk provides an effective barrier to infection (provided you don't surf the net with root privileges of course).
Unfortunately the publication of this sort of research may lead botnet administrators and designers to address the authentification weakness the researchers exploited. Ah well, such is life.
This research paper gives the botnet people some more ideas on where their weaknesses are.
It's like a security researcher turning up at the underground base of an evil tyrant and finding a way in then writing a publicly available paper on where his defenses are weak.
First of all, the whole exercise was cut short because the botnet admins updated the Mebroot toolkit, causing the researchers to loose contact. That happened before publication, ok? Secondly it shows that the easiest way to protect your botnet is to update Mebroot once a week (or sooner), and savvy botnet admins already knew that.
The big plus is that this research unequivocally points out MS Windows users' ability to write to the MBR and to modify executables as the main strategic access point. The general public didn't know that before. Now it does and it might decide that this is something that must be addressed. Either by switching to Linux or by more careful login management or by pounding the desk in Redmond and demanding a fix. Nothing else could have done that.
In addition it highlights the crucial importance of ISPs and registrars to respond immediately (and intelligently) to complaints of abuse. As the researchers point out, there is scope for streamlining and actually *using* existing procedures to terminate a registrar's accreditation. There may also be scope for legislation here in compelling any ISP or registrar to maintain a certain minimum capability for investigating abuse, and for instituting a legally binding maximum timespan between complaint and investigation. I would personally favour legislation to force those registrars and ISPs who do not have that capability out of business (or compel them to be taken over) within a year or so. That's something that would have been impossible to justify without this research.
So in short, the small disadvantage of alerting botnet admins to a vulnerability is far outweighed by the intelligence gathered. Intelligence that *must* be made public before it can be acted upon due to institutional torpor, stupidity, or tardiness.
Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.
Even if you don't screw up, the recipients of your favours will probably be outraged if they find out. If they've got a bot-ridden unpatched box connected to the net, they're quite likely to be assholes in other ways also.
To fight an asshole, you must be an asshole. The researchers should first provision a "legal fund" by milking the financial data they apparently recovered. Then launch lawsuits against the dummies whose PCs were participating in the botnet as accomplices to said financial crime (e.g. accuse them of attempting to defraud their financial institutions, etc.). Is there such a thing as a reverse-class-action lawsuit, where you can sue a whole class of assholes all at once?
Assholes should not be connected to the internet. Especially if they're exposing goatse-sized vulnerabilities.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
random speculation
So if you take the paradigms of open source and apply the benefits of free and open criticism of a project then the ultimate change of this paper should be a better Torpig. As such, I wonder how long it will be before some of the methods mentioned in the paper that made Torpig vulnerable to takeover will quietly disappear...
Torpig will doubtless allow updates to itself - allowing for current C&C commands to take varied action for example. Updating the infected machines with code that is less resistant to domain flux and hence preventing the injection of other C&C servers may be something achievable. After the publishing of a paper like this I'd be unsurprised if the code was not already undergoing update and that some of the methods in the paper weren't already out of date.
Then again, I do wonder if publishing this at this time is due to the botnet already having moved on and therefore the techniques not longer available. Publishing may otherwise be a little irresponsible if the agencies involved on the article are still using the techniques mentioned.
Then again, there are multiple other reasons for publishing this.
Until the OS is locked down, it will simply be replaced by a new bot. Computer owners MUST start taking responsibilities for their choices. If somebody's CC and retirement account is chosen because they chose an insecure OS, than let them live with it.
I prefer the "u" in honour as it seems to be missing these days.
If the un-updated machines are cesspools and pose a threat to the internet, then should they not be blocked?
The browsers identify themselves to some extent. Shouldnt websites detect these browsers and refuse to do business with them?
Should firefox, itunes and such refuse to install on machines that are not updated?
How about the reverse? If you are stupid enough to be hosting a botnet node, you are likely too stupid to know when an anti-botnet attack will affect your machine, nor are you likely to be able to identify such behavior as the cause of any damage to your machine.
Nobody would ever find out. Places like the Geek Squad are populated with people who are instructed to turn stuff over for a profit rather than solve problems, so they won't look for evidence of the battle. They'll just reformat the machine and hand it back. Hackers like us on Slashdot are already probably secure against a lot of this crapware, so we'd never be "reverse-attacked."
And who's to say which piece of malware caused the damage: the original trojan, or the anti-trojan? Even if it were traced down to the anti-trojan, what evidence would you have that it was sent by the researchers, and not by some anti-botnet-vigilante group?
I bet these researchers could release an anti-trojan and get away with it completely. As long as they do it silently, the meddling kids never find out who did it.
Even better: an alliance of anti-botnet researchers! To enter, you have to swear an oath to not rat out the other guys anti-botnet software. "We tried really really hard, but we couldn't figure out who sent it, sorry." No one would ever know.
John
to stealing 10k bank account numbers why aren't they in jail?
In all the articles and talk about trojans I never see any mention of the fact
that %99.9 of infected, spam producing and botted PC's are running some version
of MS windows. If every luser who ran bittorrent and keygen's on their windows
PC's switched to ubuntu tomorrow, the botnet problem would disappear overnight.
MS makes the barrier to entry for virus and trojan writers so low, that a 12 year-old
could have his own botnet with a couple of hours of internet time.
Yet I never see any talk of this.
Imagine a bank with the same security as MS windows. A bank robber could walk right
in to the safe wearing a mask of the bank manager's face, and the safe would open
by pressing a button which said 'Do not press if ur a bankrobber'.
Yet I see no talk of holding MS accountable for the security of its shitty software.
Maybe if they were made to pay the real cost of running windows, the #1 AV maker
would be MS.
This Sig does not Exist.
Raymansean fails to grasp the distinction between "responsibility" and "fault". The user has a responsibility to use his car in a manner that does not threaten people. He also has a responsibility to use his computer in a manner that poses no threat to his neighbors. Failure to operate his car in a safe manner gets a ticket, because he failed to meet his responsibilities. Failure to operate a computer in a safe manner should result in similar penalties, for the same reasons.
Stop whining, and making excuses. Failure to have all the required software at hand to do a SAFE installation of your operating system is a failure of responsibility, and your computer should be impounded, and you spend a night in jail for putting people around you at risk. Tell it to the judge, buddy, I don't want to hear it.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Ask former Bush administration officials. Kidnap and torture suspected terrorists? Not our problem, they were captured in a failed state!
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Did you even RTFA? They didn't have to crack any passwords at all. Most of the bank account usernames, account numbers and passwords were simply provided by the clueless users who logged into their accounts over the internet. Torpig just forwarded the user login ID and password credentials submitted through the browser to the Mebroot command and control computer, using the "Man-in-the-browser" phishing technique described in Section 2 and Section 6.1. There's no sense wasting precious hacker time using brute force attacks to crack passwords that aren't even encrypted.
s/lude/lewd/g
Other than that, well done.
I prefer rogues to imbeciles because they sometimes take a rest.