Torpig Botnet Stole 70 GB Data, Security Hijack Finds
Researchers found that the Torpig botnet, a malware program designed to harvest and steal sensitive information from users' computers, stole thousands of bank accounts and credit card numbers worth hundreds of thousands of dollars.
Among the pilfered data were more than 8,300 login credentials from 410 different financial institutions around the globe, which were acquired out of a total 300,000 stolen passwords.
The information was collected from more than 180,000 infected PCs that connected to more than 1.2 million IP addresses.
Researchers said that the Torpig botnet was considered "one of the most advanced pieces of crimeware ever created."
"On the surface, it is one of the many Trojan horses infecting today's Internet that, once installed on the victim's machine, steals sensitive information and relays it back to its controllers," the report said. "However, the sophisticated techniques it uses to steal data from its victims, the complex network infrastructure it relies on and the vast financial damage that it causes set it apart from other threats."
The researchers leveraged information about Torpig over a period of 10 days after seizing control of the botnet by exploiting a weakness in the way that the bots tried to communicate with their command and control servers for new updates, researchers said. Ultimately, schemes used to protect the communication on the Torpid botnet were insufficient to guarantee basic security properties such as confidentiality and authenticity, the researchers said.
Altogether, the largest percentage of stolen credit cards were lifted from the U.S., totaling about 49 percent, while 12 percent came from Italy and 8 percent came from Spain. The most common stolen cards included Visa, MasterCard, American Express, Maestro and Discover.
While the Torpid botnet, which was built using the MBR rootkit, has been typically associated with bank account and credit card theft, researchers discovered that the malware also stole a variety of the personal information launched in numerous sophisticated and targeted phishing attacks.
"These phishing attacks are very difficult to detect, even for attentive users. In fact, the injected content carefully reproduces the style and look and feel of the target Web site," the report said. "Furthermore the injection mechanism defies all phishing indicators included in modern browsers. For example, the SSL configuration appears correct and so does the URL displayed in the address bar."
Victims are infected in drive-by download attacks, an attack which exploits JavaScript errors in the browser. Torpig initially uses the phishing attacks to lure victims to infected Web sites to install malware designed to record keystrokes and steal information on their machines. The botnet then injects modules into the Web browser, which allow it to inspect all the handled data as well as identify and store interesting pieces of information, such as credentials for online accounts and stored passwords. The botnet then updates its C&C server with the newly acquired information about every 20 minutes, the report said.
Altogether, researchers concluded that previous evaluations of the botnet based on the count of distinct IPs might be overestimated. In addition, the report found that the botnet victims were generally users with poorly maintained machines that choose simple passwords to protect access to accounts containing sensitive information.
"This is evidence that the malware problem is fundamentally a cultural problem," researchers said. "Even though people are educated and understand well concepts such as physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer."