Botnet Probe Turns Up 70GB of Personal, Financial Data

Researchers had access to the hacked computers for 10 days

. What's this?

By Jeremy Kirk, IDG News Service

May 05, 2009 — IDG News Service —

Researchers from the University of California gained control over a well-known and powerful network of hacked computers for 10 days, gaining insight into how it steals personal and financial data.

The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials.

The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, according to the researchers' 13-page paper.

Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers.

The researchers stored the data and are working with law enforcement agencies such as the U.S. FBI, ISPs and even the U.S. Department of Defense to notify victims. ISPs also have shut down some Web sites that were used to supply new commands to the hacked machines, they wrote.

Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers.

Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack. If the computer is vulnerable, a low-level piece of malicious software called a rootkit is slipped deep into the system.

The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007.

Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted.

Mebroot can also download other code to the computer.

Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said.

If a person goes to a banking Web site, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER