RealTime IT News

Researchers Seize Botnet, Peer Into Net's Dark Side

Researchers at the University of California at Santa Barbara got a rare glimpse into the Internet's seamy underside earlier this year when they successfully hijacked a botnet -- and learned key details that may help the IT industry better protect itself from similar threats.

The researchers, from the computer science department at the University of California at Santa Barbara, said they took over the Torpig botnet for more than a week, studying how the botnet works to better understand why such threats are able to spread.

During the 10 days they controlled Torpig, also known as Mebroot and Sinowal, they also examined the information it steals from users of PCs that it's infected, which number around 182,800 -- about 17,217 of which were on corporate networks.

In a report issued last month, the researchers said that they observed the botnet making off with more than 69GB worth of data from unsuspecting users -- chiefly bank account credentials and credit card information, which are both highly sought by online criminals.

During their watch, Torpig grabbed 1,660 unique credit or debit card numbers, and information on 8,310 accounts at 410 different financial institutions. Top targets included PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217), they said.

Other data stolen included e-mail addresses, e-mail accounts, and Windows passwords.

The researchers said they provided the information they uncovered to affected financial institutions and to law enforcement.

"Our goal was to understand the characteristics of the victims," Giovanni Vigna, an associate professor at UCSB, told InternetNews.com.

Stolen data

Perhaps most disturbingly, the team also learned that a lot of the damage caused by the botnet might be preventable.

"We found that many of the people who were infected were not using the latest version of their operating system or Web browser," Vigna told InternetNews.com, echoing a common lament among security researchers about the need to keep software up-to-date.

However, they also said that even sophisticated users were victims of the botnet, which uses a "drive-by download" infection technique in which legitimate Web sites are used to install malware.

For instance, Torpig recorded one tech CEO logging into his LinkedIn account and then into three sexually explicit Web sites.

[cob:Pull_Quote]"We wanted to show what information the bad guys have access to," researcher and PhD student Marco Cova explained to InternetNews.com.

Despite the threat posed by Torpig, the research team said that they did not try to disable the botnet, since doing so might have had unintended consequences -- like prompting the criminals to take further safeguards.

"When we do something like this, we show them we can do it," he said. "So the bad guys can do another thing, but it might be more costly for them."

For example, Torpig now uses a more complicated algorithm to decide where to look for instructions, he said -- closing a hole that the researchers exploited to gain control of the botnet.

How to steal a botnet

The researchers' work stemmed from having learned how the botnet decides where to look for instructions, known as its command-and-control servers -- a discovery that they used to hijack the network.

They learned that the botnet used a technique that the team calls domain flux, in which Torpig checks a different Web site each week for new orders -- a technique aimed at making it harder for security researchers to anticipate a botnet's moves.

Page 2: Hijacking Torpig