I recently watched an interesting video lecture on stealing botnets. A group of researchers at UCSB recently managed to take control over a part of Torpig botnet for 10 days. During this time, they observed 180 thousand infections and recorded almost 70GB of data that bots collected. This data included submitted form information from all the websites the infected person had visited, smtp, ftp, pop3, windows, passwords, credit card numbers and passwords from various password managers.
Here are the most interesting facts from the lecture:
Torpig uses a technique called "domain fluxing" to avoid being shut down by simply blocking the IP or the domain name of control center servers. The idea is simple - depending on date and time the algorithm generates a domain name to connect to. If the domain gets shut down, the bots will simply use a different domain after some time.
The researchers were able to take control over a part of the botnet by cracking the domain name generating algorithm and registering some of the domain names to be used for communication in the future.
The bad guys noticed that a part of botnet has been taken over and issued a software update to all bots to use a new domain flux algorithm, which used Twitter's popular topics for the day to generate domain names. It was no longer possible to predict the domain that would be used tomorrow.
When communicating with command & control server, the bots included a unique id field that was generated from machine's hardware. This allowed researchers to estimate the real number of unique computers infected. Researchers saw 1.2 million unique IP addresses but only 180k unique machines.
The bots would steal financial data from 410 financial institutions (top 5: PayPal, Poste Italiane, Capital One, E*Trade, Chase), they would log credit card information (top 5 cards: Visa, Mastercard, American Express, Maestro, Discover), and they would also steal all the passwords from browser's password manager.
In a 2008 study Symantec estimated that credit card information is valued at $.10 to $25 per card in the underground market. The bank account information is valued at $10.00 to $1,000 per account. Using this study, researchers estimated that during 10 day period the amount of financial data bots collected were worth $83k to $8.3 million.
Using various estimations researchers calculated that if the bots are used for denial of service the total bandwidth would be 17Gbps.
Researchers observed that there was a fraction of people who'd fill out the phishing page and then immediately email the company's security group telling that they may have been victims of identity theft.
Since Torpig was sending all the HTTP POST data and emails to command & control servers, researchers did statistics on emails and found out that 14% of all captured emails were about jobs and resumes, 10% discussed computer security/malware, 7% discussed money, 6% were sports fans, 5% were worried about exams and their grades, 4% were seeking partners online.
Researchers collected 300,000 unique credentials on 370,000 websites. 28% of people reused their password on multiple domains. There were 173,686 unique passwords.
Researchers converted the passwords in Unix format and tried to crack them with John the Ripper. 56,000 were cracked in less than 65 minutes using brute-force. Using a wordlist 14,000 passwords were cracked in the next 10 minutes. And another 30,000 passwords were cracked in the next 24 hours. That's 58% of all passwords cracked in 24 hours.
You're welcome to watch the video lecture. It's 1h 15m long. It's presented by Richard A. Kemmerer.
Here are all the topics in the lecture:
- [02:00] Botnet terminology - bot, botnet, command & control server, control channel, botmaster.
- [03:00] Introduction to the Torpig trojan and Mebroot malware platform.
- [05:00] How Torpig works.
- [11:30] Torpig HTML injection.
- [15:00] Domain fluxing.
- [19:15] Taking over Torpig's c&c server.
- [24:10] Data collection principles.
- [26:00] C&c server protocol.
- [31:10] Botnet's size estimation.
- [37:00] Botnet's threats: theft of financial information, denial of service, proxy servers, privacy thefts.
- [37:30] Threat: Theft of financial information.
- [42:00] Threat: Denial of service.
- [43:30] Threat: Proxy servers.
- [44:20] Threat: Privacy theft.
- [47:00] Password analysis.
- [50:40] Criminal retribution.
- [53:00] Law enforcement.
- [58:00] Repatriating the data.
- [01:00:00] Ethics.
- [01:02:00] Conclusions.
- [01:06:00] Questions and answers.
For more information see the publication "Your Botnet is My Botnet: Analaysis of a Botnet Takeover."