Tuesday, May 5, 2009

Torpig Botnet Takeover

Torpig, also known as Mebroot or Sinowal was discovered in October 2008 by RSA after 3 years of successful operation without detection, at that time RSA guys estimated that around 500,000 financial accounts were compromised. The main focus of Torpig is the user's financial information.

Researchers from University of California, Santa Barbara revealed details on taking over Torpig botnet for 10 days in January/February 2009.

Takeover Process:
- Torpig is using domain flux, so sinkholing the connection from bots to C&C server allowed them to take over the botnet C&C.
- In cooperation with domain registrar, they managed to map the C&C domain to a machine controlled by the researchers.

Botnet Operation Observation:
- Every 20 min. the infected machine will send the C&C server all captured information using HTTP obfuscated with XOR and base64 encoding.
- C&C server reply can be a new configuration file with new communication parameters, this commands are obfuscated using XOR-11 encoding
- Each bot uses a domain generation algorithm (DGA) to compute a list of domain names
- The Torpig authors did not register all the domains in advance, which allows the researchers to take control of it.
- 22% if infected hosts are corporate
- Botnet size is more than 180,000 machines
- Torpig also operate Socks and HTTP proxies on the infected machine
- Profit of Torpig operator is ranging from 83K-8M US$ just in 10 days of activity !!

More details can be found here.

No comments: