Researchers from the Department of Computer Science at the University of California Santa Barbara have published an impressive look into the operation of one of the Net's most well-known botnets, Torpig.
Researchers spend 10 days in control of Torpig botnet. (IMG:J.Anderson)
During the 10 days the team controlled the botnet, they observed 180,000 infections and recorded more than 70GBs of harvested data, thanks to the Malware used in the botnet itself.
“So far, Torpig has been distributed to its victims as part of Mebroot. Mebroot is a rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR). This allows Mebroot to be executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools,” the researchers explained.
The researchers credited with the work, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, managed to control the Torpig botnet for a total of 10 days.
To gain access to the botnet, the research team cracked the Malware used to infect a user's system and attach it to the botnet. They were able to exploit a weakness in the way the bots generated a list of domains to resolve in order to locate a 'Command and Control' (C&C) server to receive instructions and offload harvested data.
Once they were able to see how the domains were generated, a process they explain as "domain flux" in their paper, they registered .com and .net domains that were to be used by the botnet.
“With domain flux, each bot periodically (and independently) generates a list of domains that it contacts. The first host that sends a reply that identifies it as a valid C&C server is considered genuine, until the next period of domain generation is started. We leveraged information about the domain generation algorithm and Torpig’s C&C protocol to register domains that the infected hosts would contact. By providing a valid response, the bots accepted our server as genuine,” the paper explained.
Their access was cut off after the criminals behind the Malware altered the primary binary used to generate the domain algorithm, this had the effect of rendering their sinkhole C&C useless, and it cost them control over the bots.
However, the information they discovered and the lessons learned over the 10-day control window offer a rare look into several aspects of how botnets function. During the time they controlled the bots, harvested data was uploaded for them to view in 20-minute intervals.
The information Torpig was collecting included over 1.2 million Windows passwords, form data from Web sites equal to 11.9 million records, and 1.2 million e-mail items.
“In particular, mailbox account items contain the configuration information for email accounts, i.e., the email address associated with the mailbox and the credentials required to access the mailbox and to send emails from it. Torpig obtains this information from email clients, such as Outlook, Thunderbird, and Eudora. Email items consist of email addresses, which can presumably be used for spam purposes,” the paper outlined.
“Form data items contain the content of HTML forms submitted via POST requests by the victim’s browser. More precisely, Torpig collects the URL hosting the form, the URL that the form is submitted to, and the name, value, and type of all form fields. These data items frequently contain the usernames and passwords required to authenticate with web sites,” the paper add explaining in a added note that even credentials transmitted over HTTPS are not safe from Torpig, “since Torpig can access them before they are encrypted by the SSL layer (by hooking appropriate library functions).”
Torpig also compromised other data, the paper explained: “In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).”
“It is also interesting to observe that 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session,” the report added.
Of the lessons learned, according to the researchers, the first was that previous estimations of the actual size of any given botnet, when based on the count of distinct IP addresses, might be overestimated. In addition, they observed that the victims of botnets are users with poorly maintained machines and often those who select easily guessable passwords.
The researchers made sure that once they started collecting the data, they reported it to law enforcement and ISPs. They did this because, despite their academic work, they wanted to help limit the damage to the victims and close the botnet down as best as they could. The process of reporting and working with the various identities proved extremely complicated in certain instances.
“In some cases, simply identifying the point of contact for one of the registrars involved required several days of frustrating attempts. We are sure that we have not been the first to experience this type of confusion and lack of coordination among the many pieces of the botnet puzzle.”
The research paper is an amazing read, if you ever wanted to know more about a botnet. It’s published online and can be viewed by clicking here .
[Images: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, "Your Botnet is My Botnet: Analysis of a Botnet Takeover," UCSB Technical Report, Santa Barbara, CA, April 2009.]
Comment on this Story