hackers steal money

I recently watched an interesting video lecture on stealing botnets. A group of researchers at UCSB recently managed to take control over a part of Torpig botnet for 10 days. During this time, they observed 180 thousand infections and recorded almost 70GB of data that bots collected. This data included submitted form information from all the websites the infected person had visited, smtp, ftp, pop3, windows, passwords, credit card numbers and passwords from various password managers.

Here are the most interesting facts from the lecture:

Torpig uses a technique called "domain fluxing" to avoid being shut down by simply blocking the IP or the domain name of control center servers. The idea is simple - depending on date and time the algorithm generates a domain name to connect to. If the domain gets shut down, the bots will simply use a different domain after some time.

The researchers were able to take control over a part of the botnet by cracking the domain name generating algorithm and registering some of the domain names to be used for communication in the future.

The bad guys noticed that a part of botnet has been taken over and issued a software update to all bots to use a new domain flux algorithm, which used Twitter's popular topics for the day to generate domain names. It was no longer possible to predict the domain that would be used tomorrow.

When communicating with command & control server, the bots included a unique id field that was generated from machine's hardware. This allowed researchers to estimate the real number of unique computers infected. Researchers saw 1.2 million unique IP addresses but only 180k unique machines.

The bots would steal financial data from 410 financial institutions (top 5: PayPal, Poste Italiane, Capital One, E*Trade, Chase), they would log credit card information (top 5 cards: Visa, Mastercard, American Express, Maestro, Discover), and they would also steal all the passwords from browser's password manager.

In a 2008 study Symantec estimated that credit card information is valued at $.10 to $25 per card in the underground market. The bank account information is valued at $10.00 to $1,000 per account. Using this study, researchers estimated that during 10 day period the amount of financial data bots collected were worth $83k to $8.3 million.

Using various estimations researchers calculated that if the bots are used for denial of service the total bandwidth would be 17Gbps.

Researchers observed that there was a fraction of people who'd fill out the phishing page and then immediately email the company's security group telling that they may have been victims of identity theft.

Since Torpig was sending all the HTTP POST data and emails to command & control servers, researchers did statistics on emails and found out that 14% of all captured emails were about jobs and resumes, 10% discussed computer security/malware, 7% discussed money, 6% were sports fans, 5% were worried about exams and their grades, 4% were seeking partners online.

Researchers collected 300,000 unique credentials on 370,000 websites. 28% of people reused their password on multiple domains. There were 173,686 unique passwords.

Researchers converted the passwords in Unix format and tried to crack them with John the Ripper. 56,000 were cracked in less than 65 minutes using brute-force. Using a wordlist 14,000 passwords were cracked in the next 10 minutes. And another 30,000 passwords were cracked in the next 24 hours. That's 58% of all passwords cracked in 24 hours.

You're welcome to watch the video lecture. It's 1h 15m long. It's presented by Richard A. Kemmerer.

Here are all the topics in the lecture:

  • [02:00] Botnet terminology - bot, botnet, command & control server, control channel, botmaster.
  • [03:00] Introduction to the Torpig trojan and Mebroot malware platform.
  • [05:00] How Torpig works.
  • [11:30] Torpig HTML injection.
  • [15:00] Domain fluxing.
  • [19:15] Taking over Torpig's c&c server.
  • [24:10] Data collection principles.
  • [26:00] C&c server protocol.
  • [31:10] Botnet's size estimation.
  • [37:00] Botnet's threats: theft of financial information, denial of service, proxy servers, privacy thefts.
  • [37:30] Threat: Theft of financial information.
  • [42:00] Threat: Denial of service.
  • [43:30] Threat: Proxy servers.
  • [44:20] Threat: Privacy theft.
  • [47:00] Password analysis.
  • [50:40] Criminal retribution.
  • [53:00] Law enforcement.
  • [58:00] Repatriating the data.
  • [01:00:00] Ethics.
  • [01:02:00] Conclusions.
  • [01:06:00] Questions and answers.

For more information see the publication "Your Botnet is My Botnet: Analaysis of a Botnet Takeover."

Comments

January 24, 2010, 15:17

Hello,
i watched the video. However, i missed some answers:

1. did the UCSB talked to Twitter to get the data before torpig?

Even they would get it before torpig, it would not make a big different, because torpig would change DAG again. But i would like to know what Twitter said.

2. are there evidence that torpig is located in china?

Sorry, if both questions are already answered in the video.

Regards,
Werner

January 24, 2010, 20:21

Hello Werner!

1. The researcher didn't mention talking to Twitter. I guess not.

2. They didn't talk about it and I don't know the answer either. But most likely, yes.

January 24, 2010, 21:23

Hello Peter, please watch at 21:00

January 24, 2010, 21:38

2. Richard didn't said the word "china" but i think he mean China

Again, are there evidence?

January 24, 2010, 22:04

Werner, just watched at 21:00. I was wrong, he says that they talked to Twitter. :)

Still no idea about China. If I had to put my bets on someone, I'd put them on Russian and Ukraine. That's where the smartest botnet folks are.

January 26, 2010, 02:47

Hey Peteris, be not mistaken. I am a dedicated follower of your posts. Just being a little silent. :)

Would love to see more on Unix/Perl hacks/tips.

byron agetz Permalink
October 08, 2013, 03:37

Stealing is a serious crime many of hackers doing to run their business. Most updated security for your identity help you to protect against theft which can happen any time with you.

Leave a new comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Type the word "cloud": (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.

Advertisements