Botnet hijack: Inside the Torpig malware operation
Summary: Security researchers at University of California, Santa Barbara have broken into the nerve center of the Torpig botnet (also called Sinowal or Mebroot) to find a 10-day stash of 10,000 bank accounts and credit card numbers worth hundreds of thousands of dollars.During the botnet hijack, the researchers exploited a weakness in the way the bots tried to locate their C&C servers and found an underground online crime operation collecting about 70GB of stolen data over just ten days.
Security researchers at University of California, Santa Barbara have broken into the nerve center of the Torpig botnet (also called Sinowal or Mebroot) to find a 10-day stash of 10,000 bank accounts and credit card numbers worth hundreds of thousands of dollars.
During the botnet hijack, the researchers exploited a weakness in the way the bots tried to locate their C&C servers and found an underground online crime operation collecting about 70GB of stolen data over just ten days.
Torpig is an interesting case study because of the sophisticated nature of the operation and the report [.pdf] is a must-read for anyone looking to understand the internals of a computer crime ring.
The botnet was built using a MBR (master boot record) rootkit that executes at boot time, before the operating system is loaded. Once a machine is infected, the malware harvests and uploads data in 20-minute increments. The stolen data includes e-mail accounts, Windows passwords, FTP credentials and POP/SMTP accounts.
And, of course, financial data:
In ten days,Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), CapitalOne (314), E*Trade (304), and Chase(217).
And credit card numbers:
We extracted 1,660 unique credit and debit card numbers from our collected data. Through IP address geolocation, we surmise that 49% of the card numbers came from victims in the US, 12% from Italy, and 8% from Spain, with 40 other countries making up the balance. The most common cards include Visa (1,056), MasterCard(447), American Express(81), Maestro(36), and Discover (24).
While 86% of the victims contributed only a single card number, others offered a few more.
Of particular interest is the case of a single victim from whom 30 credit card numbers were extracted. Upon manual examination, we discovered that the victim was an agent for an at-home, distributed call center. It seems that the card Numbers were those of customers of the company that the agent was working for, and they were being entered into the call center's central database for order processing.
The report surmises that the criminal gang behind Torpig profited between $83,000 $8.3 million over a 10-day period
For more on the botnet hijack, check out UC Santa Barbara's Torpig project page. More at Slashdot and Threatpost.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
And this is just one we know about.
Fight fire with fire
how about putting together a nasty little virus that will
beneficial virus
http://www.cknow.com/vtutor/AreThereGoodViruses.html
One of the 4 autonomics
1. Self Configuration
2. Self Healing
3. Self Optimizing
4. Self Protection
Number 4 is the one that hunts down viruses. Of course, no one has been able to achieve Autonomics in any real sense.
True.
It is very difficult to target these crackers with since they start something on one computer and then move to another computer to do some more work and so on and trying to catch them is fairly difficult. However if we make enough honeypots for them to crack at so that we can get a idea what the crackers are doing. We need to aim our "firepower" accurately and precisely so that innocent people don't get hit.
I love these posts about Botnets and malware.
RE: Botnet hijack: Inside the Torpig malware operation
"Of particular interest is the case of a single victim from whom 30 credit card numbers were extracted. Upon manual examination, we discovered that the victim was an agent for an at-home, distributed call center. It seems that the card Numbers were those of customers of the company that the agent was working for, and they were being entered into the call center?s central database for order processing."
this right here makes you wonder, how come this "victim" or better words, CULPRIT didn't have them hashed and secured within his / her db? I'm just curious to know why on this green earth such dumb asses still are allowed to deal with customers, as you see a GENIUS as this so called 'victim' should NOT even be alive and working for anyone. I hope he/she gets exposed due to the fact of the call center's customers credit card information so they can cancel each card out.
It's sick to know that there are nitwits like this that answer calls, take your card over the phone and then "KEYSTROKE" them over a unsecured network... I for one believe this shouldn't be allowed unless they have a Secured VPN?
Oh well, this is life online, and has opened the doors to many "In the closet criminals."
Is the call center protected?
And yet all their internal stuff is messaged in clear; nothing is encrypted, I'll bet. This begs the question: Who's minding the store at that call center? They should be publicly exposed for such poor anti-malware practices that they got infected in the first place.
The bosses are guilty for not ordering their systems people to make their servers secure.
The systems people are just as guilty for not making their bosses aware that there are very bad things out there on the web, and they have only one target. MONEY! The other guy's, and they will do any and every thing they can to get it. Some or all of it!
Let's find out who and where that call center is and publicly expose them.
You're thinking this may put them out of business. I say with such shoddy security, they don't deserve to be in business! Answer yourself this. Would you do business with such a place, knowing that there is a very strong possibility that your card will be billed for something else you'll have no knowledge about until you receive the monthly bill. Will you be able to recognize that charge as bogus, and thus, a theft perpetrated on you? Will you, at that point, even have an inkling of which company leaked, let alone know who the leaky company is, for sure?
VPN
encryption on disk won't help if the entry was keylogged
Merely the action of keying them in is adequate for malware's purposes.
Very true...
If you use XP - Snoopfree Privacy Shield rules!! The only input/output firewall I know of so far. I've personally seen in combat - tested on at least 1000 machines since 2001, and nary one failure. As long as you don't fudge up the installation, if that happens, you got malware blocking it.
Wish someone would write one for Vista x64, I'd gladly pay for it!
That Work From Home Is Inappropriate
they were NOT secure
They got hacked because one of their employees did something Verboten in this digital age of wild viruses and internet credit card theft.
I'm not even accusing the employee whose station was the one used for a gateway to obtain the information, as some "not so honest" colleague could have been using that station while the rightful user was out to lunch. Maybe someone was using the station to look at porn or downloading music with the very fast connection a call center would have when compared with even a fast ADSL home line.
That company should find out who the real culprit is who let the virus in and take appropriate action.
Get an antivirus and anti-spyware package. Those things do NOT come free for enterprises but there are a lot of them better that Norton or McAffee.
RE: Botnet hijack: Inside the Torpig malware operation
Sorry, I just don't put anything on my computers..
RE: Botnet hijack: Inside the Torpig malware operation
<a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>