Security researchers at a US university have spent 10 days in control of the notorious Torpig botnet to observe its behaviour.
The boffins from the University of California's Department of Computer Science Security Group have now published a document that shines a light onto the practices and capabilities of Torpig. Your Botnet is My Botnet: Analysis of a Botnet Takeover' makes for frightening reading."For our work, we seized control of the Torpig (a.k.a. Sinowal, Anserin) botnet for ten days. Torpig, which has been described in as 'one of the most advanced pieces of crimeware ever created,' is a type of malware that is typically associated with bank account and credit card theft," they explain in the introduction.
During their study, the researchers - Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel and Giovanni Vigna - found that the botnet harvested some 70GB of data from 180,000 infected machines.
The numbers may seem lower than expected, but during the period of their control the researchers were able to dig much deeper into the botnet than others have, drilling down further from the usual IP address numbers to actual individual accounts and machines. "Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), [and ] E*Trade (304)," claimed the report.
Torpig is something of an end-user nightmare. It is almost undetectable by all the major browsers and uses phishing attacks to spoof a login page. "the injected content carefully reproduces the style and look-and-feel of the target web site. Furthermore, the injection mechanism defies all phishing indicators included in modern browsers," the researchers explain in the report.
By doing just this, Torpig managed to take at least one credit card number from 86 per cent of its victims, and in some cases many more. From one hacked machine, later identified as belonging to a call centre worker, the botnet took some 30 different credit card numbers, proving that neither individual nor organisation is out of its reach. The researchers estimate that in an average 10 days of activity "the Torpig controllers may have profited anywhere between $83k and $8.3M."
Other insights in the report include the fact that the majority of internet users do not help themselves when it comes to security thanks to their use of easily cracked passwords. In fact, about 40 per cent of logins were cracked in just over an hour thanks to the use of common hacking tools.
