Researchers at the University of California at Santa Barbara got a rare glimpse into the Internet’s seamy underside earlier this year when they successfully hijacked a botnet — and learned key details that may help the IT industry better protect itself from similar threats.
The researchers, from the computer science department at the University of California at Santa Barbara, said they took over the Torpig botnet for more than a week, studying how the botnet works to better understand why such threats are able to spread.
During the 10 days they controlled Torpig, also known as Mebroot and Sinowal, they also examined the information it steals from users of PCs that it’s infected, which number around 182,800 — about 17,217 of which were on corporate networks.
In a report issued last month, the researchers said that they observed the botnet making off with more than 69GB worth of data from unsuspecting users — chiefly bank account credentials and credit card information, which are both highly sought by online criminals.
During their watch, Torpig grabbed 1,660 unique credit or debit card numbers, and information on 8,310 accounts at 410 different financial institutions. Top targets included PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217), they said.
Other data stolen included e-mail addresses, e-mail accounts, and Windows passwords.
The researchers said they provided the information they uncovered to affected financial institutions and to law enforcement.
“Our goal was to understand the characteristics of the victims,” Giovanni Vigna, an associate professor at UCSB, told InternetNews.com.
Perhaps most disturbingly, the team also learned that a lot of the damage caused by the botnet might be preventable.
“We found that many of the people who were infected were not using the latest version of their operating system or Web browser,” Vigna told InternetNews.com, echoing a common lament among security researchers about the need to keep software up-to-date.
However, they also said that even sophisticated users were victims of the botnet, which uses a “drive-by download” infection technique in which legitimate Web sites are used to install malware.
For instance, Torpig recorded one tech CEO logging into his LinkedIn account and then into three sexually explicit Web sites.
[cob:Pull_Quote]”We wanted to show what information the bad guys have access to,” researcher and PhD student Marco Cova explained to InternetNews.com.
Despite the threat posed by Torpig, the research team said that they did not try to disable the botnet, since doing so might have had unintended consequences — like prompting the criminals to take further safeguards.
“When we do something like this, we show them we can do it,” he said. “So the bad guys can do another thing, but it might be more costly for them.”
For example, Torpig now uses a more complicated algorithm to decide where to look for instructions, he said — closing a hole that the researchers exploited to gain control of the botnet.
How to steal a botnet
The researchers’ work stemmed from having learned how the botnet decides where to look for instructions, known as its command-and-control servers — a discovery that they used to hijack the network.
They learned that the botnet used a technique that the team calls domain flux, in which Torpig checks a different Web site each week for new orders — a technique aimed at making it harder for security researchers to anticipate a botnet’s moves.
Page 2: Hijacking Torpig
Page 2 of 2
Determining which site Torpig planned to check for new instructions proved relatively straightforward, however.
That’s because the botnet used a fairly simple algorithm for determining where to look: Torpig took the current date to create a random domain name to check — and then it hunted for that name among the .com, .net, and .biz top-level domains
The team noted that the botnet’s owners had been registering domains only a few weeks in advance, so they got the jump on them by determining which names Torpig would soon check, and purchased those domains at shady, malware-friendly Web hosts.
That approach enabled the team to begin receiving all the data harvested by the Torpig botnet beginning on Jan. 25.
“Once we realized what we had, we contacted the FBI and the Department of Defense,” Vigna said.
Their .com command-and-control domains were shut down on Jan. 30, 2009 when a bank complained to the .com registrar — but that didn’t strike the team as a failure.
“That was a good sign,” Cova said. “It showed that people were looking for malicious activity.”
The study came to a halt on Feb. 4, however, when the botnet controllers distributed a new version of Torpig that changed the algorithm the botnet used to select a domain.
So will the team be able to repeat the experiment? It might be possible — for now.
“Cova and [fellow researcher] Brett Stone-Gross reverse engineered the [new algorithm] — they recently changed their domain-determination algorithm by including the first letter of the most common subject on Twitter.”
But the approach might not work against every botnet. While hijacking Torpig cost about $20 — the cost of two domain names — the team’s report (available here) noted that newer malware is designed to raise the cost of buying its command-and-control domains.
[cob:Special_Report]For instance, recent variants of Conficker generate lists of up to 50,000 domains per day, so buying all of those domains would cost up to $182.5 million per year, or $500,000 per day.
Hunting botnets also involves more mundane considerations as well. Vigna said that before the team hijacked Torpig, he had warned the university’s IT department that there might be some unusual network traffic in the coming weeks.
“They’re used to us sending weird traffic out of our lab, but they like to be informed,” Vigna said. “We didn’t really know what we had or the extent of the information we would collect until we did it.”