A group of researchers at the University of California, Santa Barbara, have infiltrated the Torpig botnet, which was found to be in control of hundreds of thousands of computers that were volunteering gigabytes of sensitive information.
The eight researchers, who actually took over the botnet for 10 days by seizing its command-and-control (C&C) channel, observed 180,000 infections and recorded more than 70 gigabytes of harvested data before losing control. In a paper reporting the results of their work, the researchers said that at one point data was being uploaded to them every 20 minutes.
Torpig is an advanced piece of crimeware, typically associated with bank account and credit card theft, according to the researchers, who work in the university's Department of Computer Science. Torpig uses a C&C technique that has also been adapted by the Conficker botmasters. That is, each infected bot periodically generates a list of domains to contact. The first server that sends a valid C&C reply is considered genuine.
The researchers used information about the Torpig domain generation algorithm to quickly register domains that the infected bots would contact – before the bot herders did. Then, when provided a valid response, the infected bots accepted the researcher's servers as genuine.
Among their findings, the researchers learned that typical evaluations of botnet sizes, based on the count of distinct IPs, might be overestimated.
“We found that, in our case, the number of unique IPs was one order of magnitude larger than the actual number of infected hosts,” they wrote in the report.
They also said that the victims of botnets are generally users with poorly maintained machines. Victims invariably choose easily guessed passwords to protect access to sensitive sites.
“This is evidence that the malware problem is fundamentally a cultural problem,” they wrote. “Even though people are educated and understand concepts such as physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer.”
In addition, the researchers said that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a complicated process.
“However, a few simple rules of behavior imposed by the U.S. government would go a long way toward preventing malicious internet behavior,” they wrote. “Even though botnets are a global problem, the United States could effectively enforce rules of behavior that might make it harder for botmasters to use the nation's cyberinfrastructure with impunity.”