Tuesday, 5 May 2009

Researchers hijack botnet, score 56,000 passwords in an hour

The Torpig botnet was hijacked by the good guys for ten days earlier this year before its controllers issued an update and took the botnet back. During that time, however, researchers were able to gain a glimpse into the kind of information the botnet gathers as well as the behavior of Internet users who are prone to malware infections.

Researchers at the University of California Santa Barbara have published a paper (PDF) detailing their findings after hijacking a botnet for ten days earlier this year. Among other things, the researchers were able to collect 70GB of data that the bots stole from users, including 56,000 passwords gathered within a single hour. The information not only gave them a look at the inner workings of the botnet, they also got to see how secure users really are when it comes to online activities. (Hint: they aren't.)

The botnet in question is controlled by Torpig (also known as Sinowal), a malware program that aims to gather personal and financial information from Windows users. The researchers gained control of the Torpig botnet by exploiting a weakness in the way the bots try to locate their commands and control servers—the bots would generate a list of domains that they planned to contact next, but not all of those domains were registered yet. The researchers then registered the domains that the bots would resolve, and then set up servers where the bots could connect to find their commands. This method lasted for a full ten days before the botnet's controllers updated the system and cut the observation short.

During that time, however, UCSB's researchers were able to gather massive amounts of information on how the botnet functions as well as what kind of information it's gathering. Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using "simple replacement rules" and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information. The researchers noted that they were able to read through hundreds of e-mail, forum, and chat messages gathered by Torpig that "often contain detailed (and private) descriptions of the lives of their authors."

(Comically, the report notes that 0.1 percent of Torpig victims love "exchanging insults" online, with another four percent spending their time looking for sex online. The rest are doing relatively mundane things like worrying about grades, looking for advice from doctors and lawyers, looking for jobs, and playing video games.)

Of course, the primary goal of Torpig is to steal financial information like credit card numbers and bank logins. In just ten days, Torpig apparently obtained credentials of 8,310 accounts at 410 financial institutions, including PayPal, Capital One, E*Trade, and Chase. The researchers noted, too, that nearly 40 percent of the credentials stolen by Torpig were from browser password managers, and not actual login sessions, and that the Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period.

Interestingly, a large number of the financial institutions that had been breached required "monumental effort" in order to notify the victims, according to the report. In fact, financial institutions weren't the only ones—interacting with registrars, hosting facilities, and law enforcement were all "rather complicated," indicating that there's a long way to go in order to make notifying botnet victims easier.

Not becoming a victim in the first place is the most ideal situation, however. The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose "easily guessable" passwords. " This is evidence that the malware problem is fundamentally a cultural problem," reads the report. "Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer."

No comments:

Post a Comment