Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torpig Botnet Hijacked and Dissected

Posted by timothy on from the why-would-you-want-to-get-rid-of-it dept.

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

12 of 294 comments (clear)

  1. uuh..yeah. by Anonymous Coward · · Score: 5, Interesting

    why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?

    1. Re:uuh..yeah. by shentino · · Score: 5, Insightful

      Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.

    2. Re:uuh..yeah. by VValdo · · Score: 5, Informative

      Although we could have sent a blank conguration le to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the malware on critical computer systems, such as a server in a hospital). We also did not send a conguration le with a different HTML injection server IP address for the same reasons. To notify the affected institutions and victims, we stored all the data that was sent to us, in accordance with Principle 2, and worked with ISPs and law enforcement agencies, including the United States Department of Defense (DoD) and FBI Cybercrime units, to assist us with this effort. This cooperation also led to the suspension of the current Torpig domains owned by the cyber criminals.

      FTFA, they snaked a domain name they knew the botnet was going to use before the bad guys could, then just collected info sent to them by all the compromised systems.

      The submission header and the body are encrypted using the Torpig encryption algorithm (base64 and XOR)

      Torpig encryption algorithm: base64 and XOR. In contrast, Conficker uses all kinds of crypto (RC4, RSA, and MD-6).

      W

      --
      -------------------
      This is my SIG. There are many like it, but this one is mine.
    3. Re:uuh..yeah. by DragonDru · · Score: 5, Insightful

      I feel so conflicted. It is good they got enough information to tell law enforcement who the victims are, but I feel sad they did not do more to stop the botnet. However, there would be lawsuits if they had done more. Also, the bot masters now know exactly who was messing with their system (even their email addresses and their technique). Net effect, a botnet will go down slowly and some researches will get a *lot* of spam.

      --
      20 characters max for the password? How will I use my favorite poems as passwords?
    4. Re:uuh..yeah. by Opportunist · · Score: 5, Insightful

      "If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

      Here's your reason why they don't.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:uuh..yeah. by Hognoxious · · Score: 5, Funny

      If you're smart enough to hack into this botnet and make it do your bidding, your smart enough to not have commands sent to it traced back to you.

      True, but unfortunately it seems they aren't smart enough to keep quiet about it.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    6. Re:uuh..yeah. by WhatAmIDoingHere · · Score: 5, Insightful

      They do. Perhaps you can improve on that suggestion with some further content.

      Problem is that a lot of countries DON'T care about these kinds of crimes. Laws tend to have a hard time keeping up with technology.

      --
      Not a Twitter sockpuppet... but I wish I was.
    7. Re:uuh..yeah. by mh1997 · · Score: 5, Insightful

      I go as far as telling you that also the victims should be punished for leaving their machines wildly exposed to the botnet. Guess all of them they were running un-updated OS, without antivirus and/or firewall. Since it's obvious that these bots are used also in criminal attacks against other people (DDOS - Spamming - further botnet spreading) I don't see them as victims but more like accomplices.

      If you are not willing to learn how to safely use a computer you shouldn't have one, just stick to a iPhone or other toys (Internet tablets).

      Let's not limit this to computers. If someone breaks into your house or steals your car, cell phone, credit card, etc. then you should be responsible for all crimes committed by the thief. You are not just a victim, you are an accomplice. If you cannot reasonably protect yourself from physical theft by learning martial arts and proper use of firearms/weapons, you should just stick to...computers?

      Computers and the internet are sold as toys and a convenient way to handle business transactions for the common person. The common person has a reasonable expectation that upon opening the box, his computer and his personal data will be reasonably secure. If the OEMs can't provide that level of security, or that level of security can only be achieved by a certain amount of training, then they should put a giant disclaimer on the splash screen stating that any and all data put on that computer will likely be stolen and that the computer will probably be taken over by theives for crimminal activities.

  2. yes by mofag · · Score: 5, Funny

    no, maybe, oh I don't know. Why do I get all the hard questions?

  3. Re:So they committed a felony? by SydShamino · · Score: 5, Insightful

    No, they purchased a domain name, set up servers to accept data sent to that domain, then collected that data. That their research had told them that the domain would be used by the botnet is incidental. If you mail your credit-card information to my domain, I haven't committed any crime if I accept it and turn it over to the authorities.

    --
    It doesn't hurt to be nice.
  4. Re:Suggested punishment by Kaboom13 · · Score: 5, Insightful

    It's already illegal. We don't need to run around making new laws. The problem is law enforcement world wide does not care. Even if the perpetrators of a major botnet are in their grasp, they will do their best to ignore it. If it happens on the internet, that means it's an international problem. Which means it's not their problem. They are too busy busting 19 year olds trying to sleep with 17 year olds, and "drug busts" of people licensed and permitted by their state government to grow marijuana, and harassing random people with the same name as a suspected "terrorist". Has anyone seen the FBI actually even investigate an identity theft case? We aren't talking criminal masterminds here, most of them could be tracked down with minimal effort.

    The only solution to crap like this will have to be technical. I suspect for the internet to survive, enforcement will have to come at the ISP level. Automated detection of botnets and ddos attacks in progress is possible. What should happen is when it's detected you are infected, your upload is heavily throttled, and you are contacted to correct it. Failure to do so results in suspension of service. ISPs that don't implement it should face having all their packets dropped by everyone else. It won't stop the latest and greatest, but years old botnets could easily be stopped. The potential for false positives will suck, as will the temptation for ISP's to abuse it, but currently theres several botnets out there that could easily take down critical infrastructure if they decide to ddos it.

  5. Re:Suggested punishment by Toonol · · Score: 5, Funny

    It's "Viruses". Just for future reference. I know, I'm being pedantic.