14 DAY TRIAL // Researchers from the Computer Security Group of the University of California at Santa Barbara (UCSB) have taken over the Torpig botnet for ten days. Their subsequent report (PDF) reveals that, during this period, the Trojan stole 8,310 accounts from 410 different financial institutions, as well as the details of 1,660 credit cards.
Torpig, also known as Sinowal, is a three-year-old banking trojan, which ranks pretty high amongst the most resilient and complex pieces of malware. The Trojan is being distributed through Mebroot, a rootkit that installs itself at the low level of a computer, inside the Master Boot Record (MBR), making it particularly resilient to antivirus detection.
Another state-of-the-art malicious technique employed by Torpig is the domain flux, where a list of domain names is periodically generated by each infection according to an algorithm, which are then queried in order to locate a command and control server. The researchers hijacked the botnet by registering some of the domains in advance, before its owners succeeded in regaining control ten days later.
While the driving force between the Torpig operation is the illegal monetary gain, the trojan does not only steal financial information, which is clearly the most valuable of all. Instead, the malware is able to monitor, log and sort user input into more than 29 popular applications, including the top three browsers, IE, Firefox and Opera, e-mail clients such as Outlook, Thunderbird and Eudora, or instant messengers like ICQ or Skype. Login credentials, accounts and passwords are specifically targeted.
Additionally, Torpig instruments local phishing attacks, by injecting rogue forms into the legit pages loaded into the browsers. These forms ask users for their sensitive financial details and are hard to identify, because they can be inserted at the browser level at any point during the user session, even if the connection is established over SSL.
The researchers collected an impressive 70GB of data during the ten days of hijacking and estimated that 182,800 bots connected to their C&C server. This number was determined after special methodology was used and not by counting unique IP addresses. In fact, a total number of 1,247,642 unique IPs were observed, forcing the researchers to conclude that, "Taking this value as the botnet size would overestimate the actual size by an order of magnitude."
Another interesting conclusion is the high possibility that the botnet, or, more specifically, parts of it, are being lent to third-party criminal groups. This is suggested by unique and never-changing build names appended to all types of communications and the collected information. "The most convincing explanation of the build type is that it denotes different 'customers' of the Torpig botnet, who, presumably, get access to their data in exchange for a fee," the researchers note.
Even though much of the 70GB of data were login credentials for e-mail accounts (Gmail at the top), social networking services (Facebook at the top), and other non-financial related services, the leak of sensitive personal and banking information is still significant. The researchers counted compromised accounts from PayPal (1,770), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).
This seems to be partially consistent with the distribution of Torpig-infected machines across the globe: U.S (54,627), Italy (46,508), Germany (24,413), to name the top three countries, which are also the only ones over the 7,000-bot mark. The botnet also has a great potential to launch Denial of Service attacks, aggregating a bandwidth of over 17 Gbps from DSL/Cable connections alone.
An interesting analysis regarding the security habits of the affected users was also performed. The researchers subjected the 173,686 collected passwords to the popular John the Ripper password-cracking tool. In under 75 minutes, the program was able to recover 40% of them through dictionary attacks. 30,000 more were cracked in the next 24 hours through an "incremental" brute force approach.
The analysis "found that almost 28% of the victims reused their credentials for accessing 368,501 web sites," the report also notes. This led the researchers to conclude that, "The victims of botnets are users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites. This is evidence that the malware problem is fundamentally a cultural problem."
The success of Torpig inspired and continues to inspire other malware authors, who borrowed and improved the techniques employed by this malicious application. In fact, due to its success, Torpig's own creators are putting a lot of effort into its maintenance. In a November 2008 report regarding the trojan's activity, researchers from RSA Security noted that, "Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan."
We have just recently reported that malware experts from security vendor Prevx have identified and analyzed a completely revamped version of the Mebroot rootkit, which displays highly complex detection-evading mechanisms. "Even if the first MBR rootkit variant is still undetected by some antivirus vendors, its creators decided to develop a new version of it, virtually able to bypass almost all security products, even the ones able to detect the first version," one of Prevx's researchers, Marco Giuliani, warns.