Torpig Botnet Hijacking Reveals 70GB Of Stolen Data


We did mention Torpig in passing back in January 2008 when talking about the Mebroot rootkit which digs down deep into the Master Boot Record.

It seems like Torpig has been pretty active since then and the latest break is that some security researchers have managed to infiltrate the botnet and collect some data on what it’s doing.

I always enjoy reading about these ‘insider’ stories though as it’s hard to know unless someone gets access what these botnet fellas are really achieving.

Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world’s most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days.

During that time, Torpig bots stole more than 8,300 credentials used to login to 410 different financial institutions, according to the research team from the University of California at Santa Barbara. More than 21 percent of the accounts belonged to PayPal users. Overall, a total of almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

One of the secrets behind the unusually large haul is Torpig’s ability to siphon credentials from a large number of computer programs. After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors.

It seems like once Torpig is dug into the machine it can get hold of everything, being based on a low level rootkit it can intercept anything including important credentials from financial institutions and money services like Paypal.

The numbers are quite huge with the malware having the ability to steal all kinds of accounts and access details from both software and web based applications.

In all, the researchers counted more than 180,000 infected PCs that connected from 1.2 million IP addresses. The data underscores the importance of choosing the right methodology for determining the actual size of a botnet and, specifically, not equating the number of unique IP addresses with the number of zombies. “Taking this value as the botnet size would overestimate the actual size by an order of magnitude,” they caution.

Torpig, which also goes by the names Sinowal and Anserin, is distributed through Mebroot, a rootkit that takes hold of a computer by rewriting the hard drive’s master boot record. As a result, Mebroot is executed during the early stages of a PC’s boot process, allowing it to bypass anti-virus and other security software.
By infiltrating Torpig, the researchers were able to become flies on the wall that could watch infected users as they unwittingly handed over sensitive login credentials. One victim, an agent for an at-home, distributed call center, transmitted no fewer than 30 credit card numbers, presumably belonging to customers, the researchers guessed.

The number of unique IP addresses per infection is quite interesting too and it shows if you estimate the size of a botnet by unique IP addresses you could easily be out by a factor of 5.

And wow, infecting a call center PC dealing with credit cards? That must be a botnet masters wet-dream – that really is a gold mine.

Imagine if they could spread the infection through the whole call-center, they would be rolling in credit card details.

Source: The Register

Posted in: Malware, Privacy, Spammers & Scammers

, , , , , , ,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


Comments are closed.