05 May 2009, 11:27

Supping with the enemy: researchers take control of botnet

Earlier this year, researchers at the University of Santa Barbara in California were able to take control of the Torpig botnet, also know as Sinowal, for ten days. Virus specialists consider Torpig to be a highly-developed trojan for Windows, which sniffs out bank account and credit card details and FTP accounts. Over the past three years, using various versions, the virus authors are estimated to have read data from more than 300,000 different accounts and sent this data to a database. Torpig writes itself to the hard drive master boot record and uses rootkit techniques to avoid detection by anti-virus software.

The researchers achieved their recent coup using a similar technique to that currently being used by the Conficker Working Group to keep the Conficker worm more or less under control – they registered the domains used to co-ordinate the Torpig bots for the purpose of archiving their data, downloading updates and receiving orders. To achieve this, they first had to decrypt the (deterministic) domain generation algorithm (DGA) which the bots use to continuously calculate new domains (domain flux) and then put a server on the lookout. According to the report, cooperation from registrars and hosting companies was not always good.

This type of DGA was first used against the Srizbi botnet in November 2008. After the McColo hosting service was taken down, the bots switched to an emergency communication channel to re-establish contact with their control server. Since then, botnet operators are increasingly switching from fast flux networks to domain flux networks for keeping in touch with infected PCs. In fast flux networks the domain name remains constant, but IP addresses are constantly changing and point to infected computers rather than a single command server.

The Torpig botnet operators have now, however, modified their domain generation algorithm, seeding it with a random component, making it harder to predict and consequently harder to register a domain in advance. As its random seed, the botnet operators use the Twitter API to query the weekly search term trends.

During the ten days in which they had control of the botnet, the researchers made some interesting observations. Although they recorded more than 1.2 million IP addresses for infected systems, on the basis of unique bot IDs recorded, this turned out to represent only 180,000 systems. Since previous estimates of Conficker infections have been based on IP addresses, this figure may also be out by a factor of seven.

Over these ten days Torpig sent large volumes of data to the researchers, including details of 8310 accounts at 410 different financial institutions. In first place was PayPal, with 1770 accounts, followed by Poste Italiane with 765, Capital One with 314 and E*Trade with 304. There were also 1,700 sets of credit card details, mostly from the USA. In total the bots transferred 70 GB of data, which also included access details for many hundreds of thousands of email, FTP and other online accounts such as Google, Facebook and MySpace. In collaboration with the authorities, the researchers later used the collected data to inform the victims.

The origin of Torpig/Sinowal and who controls it remain the subject of speculation. The trojan is thought to have originally been operated by Russian criminals with connections to the Russian Business Network (RBN). However, the RBN no longer appears to have any major involvement.

The complete 13 page report is available to download: Your Botnet is My Botnet: Analysis of a Botnet Takeover PDF .