Torpig, also known as Anserin or Sinowal is a type of

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...

spread through systems compromised by the

Mebroot Mebroot is a master boot record based rootkit used by botnets including Torpig. It is a sophisticated Trojan horse that uses stealth techniques to hide itself from the user. The Trojan opens a back door on the victim's computer which allows the at ...

rootkit by a variety of

trojan horses The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...

for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

, recruiting a network of

zombies A zombie (Haitian French: , ht, zonbi) is a mythological undead corporeal revenant created through the reanimation of a corpse. Zombies are most commonly found in horror and fantasy genre works. The term comes from Haitian folklore, in whic ...

for the botnet. Torpig circumvents

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

through the use of

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform

man-in-the-browser Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify tra ...

attacks. By November 2008, it was estimated that Torpig had stolen the details of about 500,000

online bank Online banking, also known as internet banking, web banking or home banking, is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial insti ...

accounts and

credit Credit (from Latin verb ''credit'', meaning "one believes") is the trust which allows one party to provide money or resources to another party wherein the second party does not reimburse the first party immediately (thereby generating a debt), ...

and

debit card A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term '' plastic card'' includes the above and as an identity document. These are similar to a credit card, but u ...

s and was described as "one of the most advanced pieces of crimeware ever created".

History

Torpig reportedly began development in 2005, evolving from that point to more effectively evade detection by the host system and antivirus software. In early 2009, a team of security researchers from

University of California, Santa Barbara The University of California, Santa Barbara (UC Santa Barbara or UCSB) is a Public university, public Land-grant university, land-grant research university in Santa Barbara County, California, Santa Barbara, California with 23,196 undergraduate ...

took control of the botnet for ten days. During that time, they extracted an unprecedented amount (over 70 GB) of stolen data and redirected 1.2 million IPs on to their private command and control server. The reportUCSB Torpig report
/ref> goes into great detail about how the botnet operates. During the UCSB research team's ten-day takeover of the botnet, Torpig was able to retrieve login information for 8,310 accounts at 410 different institutions, and 1,660 unique credit and debit card numbers from victims in the U.S. (49%), Italy (12%), Spain (8%), and 40 other countries, including cards from Visa (1,056), MasterCard (447), American Express (81), Maestro (36), and Discover (24).

Operation

Initially, a great deal of Torpig's spread was attributable to

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

emails that tricked users into installing the malicious software. More sophisticated delivery methods developed since that time use malicious

banner ads A web banner or banner ad is a form of advertising on the World Wide Web delivered by an ad server. This form of online advertising entails embedding an advertisement into a web page. It is intended to attract traffic to a website by linking ...

which take advantage of exploits found in outdated of versions of

Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's List ...

, or

Adobe Acrobat Reader Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files. The family comprises Acrobat Reader (formerly Reader), Acrobat (former ...

Flash Player Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is computer software for viewing multimedia contents, executing rich Internet applications, and streaming audio and video content created on the ...

Shockwave Player Adobe Shockwave Player (formerly Macromedia Shockwave Player, and also known as Shockwave for Director) is a discontinued freeware software plug-in for viewing multimedia and video games created on the Adobe Shockwave platform in web pages. Co ...

. A type of

Drive-by download Drive-by download is of two types, each concerning the unintended download of computer software from the Internet: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. down ...

, this method typically does not require the user to click on the ad, and the download may commence without any visible indications after the malicious ad recognizes the old software version and redirects the browser to the Torpig download site. To complete its installation into the infected computer's

Master Boot Record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBR ...

(MBR), the trojan will restart the computer. During the main stage of the infection, the malware will upload information from the computer twenty minutes at a time, including financial data like credit card numbers and credentials for banking accounts, as well as e-mail accounts, Windows passwords,

FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...

credentials, and POP/

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...

accounts.

References

External links

UCSB AnalysisOne Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts
by RSA FraudAction Research Lab, October 2008
Don't be a victim of Sinowal, the super-Trojan
by Woody Leonhard, WindowsSecrets.com, November 2008
Antivirus tools try to remove Sinowal/Mebroot
by Woody Leonhard, WindowsSecrets.com, November 2008
Torpig Botnet Hijacked and Dissected
covered on Slashdot, May 2009
How to Steal a Botnet and What Can Happen When You Do
by Richard A. Kemmerer, GoogleTechTalks, September 2009 {{Use dmy dates, date=December 2017 Botnets Rootkits Hacking in the 2000s

History

Operation

See also

References

Further reading

External links