Researchers from University of California, Santa Barbara revealed details on taking over Torpig botnet for 10 days in January/February 2009.
Takeover Process:
- Torpig is using domain flux, so sinkholing the connection from bots to C&C server allowed them to take over the botnet C&C.
- In cooperation with domain registrar, they managed to map the C&C domain to a machine controlled by the researchers.
Botnet Operation Observation:
- Every 20 min. the infected machine will send the C&C server all captured information using HTTP obfuscated with XOR and base64 encoding.
- C&C server reply can be a new configuration file with new communication parameters, this commands are obfuscated using XOR-11 encoding
- Each bot uses a domain generation algorithm (DGA) to compute a list of domain names
- The Torpig authors did not register all the domains in advance, which allows the researchers to take control of it.
- 22% if infected hosts are corporate
- Botnet size is more than 180,000 machines
- Torpig also operate Socks and HTTP proxies on the infected machine
- Profit of Torpig operator is ranging from 83K-8M US$ just in 10 days of activity !!
More details can be found here.
No comments:
Post a Comment