Botnet Hijacking Steals 70GB of Data

May 05, 2009 by John Messina weblog
Botnets

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

Torpig bots stole over 8,300 credentials that was used to login to 410 financial institutions. More than 21 percent were accounts. This brings a total of almost 298,000 unique credentials that were intercepted from over 52,000 infected machines.

Torpig's secret behind siphoning data from computers is by infecting programs such as Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and other applications, by monitoring every keystroke. Every 20 minutes, the malware automatically uploads new data to servers. The software is then able to intercept passwords before they may be encrypted by secure sockets layer or other programs.

The security researchers were able to hijack the after discovering weaknesses in the way it updates the master control channels that are used to send new instructions to the infected computers. A technique know as domain flux sporadically generates a large list of of computers to report to but only uses one address, ignoring all the others.

The researchers were able to monitor the botnet's behavior over a period of 10 days by registering one of the domain names on the list and seizing control of the machine. The hijackers eventually gain back control of the machine by using a backdoor built into the infected .

In all researchers counted over 180,000 infected computers that connected from 1.2 million IP addresses.

Torpig gains control of a computer by rewriting the hard drive's master boot record. As a result, control of a computer is gained during the early stages of a PC's boot process, allowing it to bypass anti-virus and other .

© 2009 PhysOrg.com

Explore further: Ebola.com domain sold for big payout

add to favorites email to friend print save as pdf

Related Stories

Downadup Worm Hits Over 3.5 Million Computers

Jan 16, 2009

(PhysOrg.com) -- Security firm F-Secure has advised that the Downadup worm has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October. This is achieved by trying ...

Help! How to avoid fast-moving computer worm

Jan 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Conficker Worm Prepares For A New Release On April 1

Mar 27, 2009

(PhysOrg.com) -- The conficker worm created havoc last year when it infected over 10 million computers on a global scale. The unique design of the conficker worm allowed for this large scale attack to over ...

Huge computer worm Conficker stirring to life

Apr 09, 2009

(AP) -- The dreaded Conficker computer worm is stirring. Security experts say the worm's authors appear to be trying to build a big moneymaker, but not a cyber weapon of mass destruction as many people feared.

Recommended for you

Ebola.com domain sold for big payout

22 hours ago

The owners of the website Ebola.com have scored a big payday with the outbreak of the epidemic, selling the domain for more than $200,000 in cash and stock.

Facebook goes retro with 'Rooms' chat app

Oct 23, 2014

Facebook on Thursday released an application that lets people create virtual "rooms" to chat about whatever they wish using any name they would like.

User comments : 0