Torpig
Torpig,also known asAnserinorSinowalis a type ofbotnetspread through systems compromised by theMebrootrootkit by a variety oftrojan horsesfor the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that useMicrosoft Windows,recruiting a network ofzombiesfor the botnet. Torpig circumventsantivirus softwarethrough the use ofrootkittechnology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can performman-in-the-browserattacks.
By November 2008, it was estimated that Torpig had stolen the details of about 500,000online bankaccountsandcreditanddebit cardsand was described as "one of the most advanced pieces of crimeware ever created".[1]
History
[edit]Torpig reportedly began development in 2005, evolving from that point to more effectively evade detection by the host system and antivirus software.[2]
In early 2009, a team of security researchers fromUniversity of California, Santa Barbaratook control of the botnet for ten days. During that time, they extracted an unprecedented amount (over 70GB) of stolen data and redirected 1.2 million IPs on to their private command and control server. The report[3]goes into great detail about how the botnet operates. During the UCSB research team's ten-day takeover of the botnet, Torpig was able to retrieve login information for 8,310 accounts at 410 different institutions, and 1,660 unique credit and debit card numbers from victims in the U.S. (49%), Italy (12%), Spain (8%), and 40 other countries, including cards from Visa (1,056), MasterCard (447), American Express (81), Maestro (36), and Discover (24).[4]
Operation
[edit]Initially, a great deal of Torpig's spread was attributable tophishingemails that tricked users into installing the malicious software. More sophisticated delivery methods developed since that time use maliciousbanner adswhich take advantage ofexploitsfound in outdated of versions ofJava,orAdobe Acrobat Reader,Flash Player,Shockwave Player.A type ofDrive-by download,this method typically does not require the user to click on the ad, and the download may commence without any visible indications after the malicious ad recognizes the old software version and redirects the browser to the Torpig download site. To complete its installation into the infected computer'sMaster Boot Record(MBR), the trojan will restart the computer.[2]
During the main stage of the infection, the malware will upload information from the computer twenty minutes at a time, including financial data like credit card numbers and credentials for banking accounts, as well as e-mail accounts, Windows passwords,FTPcredentials, andPOP/SMTPaccounts.[4]
See also
[edit]- Mebroot
- Drive-by download
- Phishing
- Man-in-the-browser
- Confickera worm that also uses domain name generation (or domain flux)
- Timeline of computer viruses and worms
References
[edit]- ^BBC News: Trojan virus steals bank info
- ^abCarnegie Mellon University."Torpig".Archived fromthe originalon 19 May 2015.Retrieved25 July2015.
- ^UCSB Torpig report
- ^abNaraine, Ryan (4 May 2009)."Botnet hijack: Inside the Torpig malware operation".ZDNet.Archivedfrom the original on 1 August 2015.Retrieved1 August2015.
Further reading
[edit]- Taking over the Torpig botnet,IEEE Security & Privacy,Jan/Feb 2011
External links
[edit]- UCSB Analysis
- One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accountsby RSA FraudAction Research Lab, October 2008
- Don't be a victim of Sinowal, the super-Trojanby Woody Leonhard, WindowsSecrets.com, November 2008
- Antivirus tools try to remove Sinowal/Mebrootby Woody Leonhard, WindowsSecrets.com, November 2008
- Torpig Botnet Hijacked and Dissectedcovered on Slashdot, May 2009
- How to Steal a Botnet and What Can Happen When You Doby Richard A. Kemmerer, GoogleTechTalks, September 2009