Botnet Hijacking Steals 70GB of Data

May 05, 2009 by John Messina weblog
Botnets

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

Torpig bots stole over 8,300 credentials that was used to login to 410 financial institutions. More than 21 percent were accounts. This brings a total of almost 298,000 unique credentials that were intercepted from over 52,000 infected machines.

Torpig's secret behind siphoning data from computers is by infecting programs such as Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and other applications, by monitoring every keystroke. Every 20 minutes, the malware automatically uploads new data to servers. The software is then able to intercept passwords before they may be encrypted by secure sockets layer or other programs.

The security researchers were able to hijack the after discovering weaknesses in the way it updates the master control channels that are used to send new instructions to the infected computers. A technique know as domain flux sporadically generates a large list of of computers to report to but only uses one address, ignoring all the others.

The researchers were able to monitor the botnet's behavior over a period of 10 days by registering one of the domain names on the list and seizing control of the machine. The hijackers eventually gain back control of the machine by using a backdoor built into the infected .

In all researchers counted over 180,000 infected computers that connected from 1.2 million IP addresses.

Torpig gains control of a computer by rewriting the hard drive's master boot record. As a result, control of a computer is gained during the early stages of a PC's boot process, allowing it to bypass anti-virus and other .

© 2009 PhysOrg.com

Explore further: Facebook 'newspaper' spells trouble for media

add to favorites email to friend print save as pdf

Related Stories

Downadup Worm Hits Over 3.5 Million Computers

Jan 16, 2009

(PhysOrg.com) -- Security firm F-Secure has advised that the Downadup worm has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October. This is achieved by trying ...

Help! How to avoid fast-moving computer worm

Jan 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Conficker Worm Prepares For A New Release On April 1

Mar 27, 2009

(PhysOrg.com) -- The conficker worm created havoc last year when it infected over 10 million computers on a global scale. The unique design of the conficker worm allowed for this large scale attack to over ...

Huge computer worm Conficker stirring to life

Apr 09, 2009

(AP) -- The dreaded Conficker computer worm is stirring. Security experts say the worm's authors appear to be trying to build a big moneymaker, but not a cyber weapon of mass destruction as many people feared.

Recommended for you

YouTube goes online for second Music Awards

Nov 20, 2014

The YouTube Music Awards are undergoing an overhaul for their second edition next year, scrapping a star-studded gala and instead looking at videos' online buzz.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.