Monday, May 4, 2009

Torpig Botnet Analysis - When was the last time you changed your passwords?

Like many people, I spend a lot of time online. According to, I have averaged over 6 hours a day online, just a work. Add another 4-6 hours a day surfing at home, and my life is pretty well intertwined with the World Wide Web. I would consider myself smarter than the average bear when it comes to "safe-surfing" online, but even so I have on occasion found myself removing spyware or malware from my computer. These programs live on the Internet, so pretty much anyone that spends any significant amount of time online will run into them eventually.

With that in mind, it is very interesting to read about a team of researchers from the University of California, Santa Barbara that took over and analyzed the Torpig botnet for a period of 10 days. During the takeover they analyzed the data being sent to the control servers and made some very interesting observations. A full report of their findings is available here, and it is a fascinating read for anybody interested in the activities of online criminals. Once a machine was infected, the control servers started receiving usernames and passwords for email accounts and banking websites, as well as all other HTML form data such as webmail and posts on forums or social websites. Over the course of 10 days the researchers collected over 70 GB of total raw data from over 180,000 infected computers.

One of the interesting finding was how much personal information they were able to find out about by combining the online identities sent from individual machines. "For example, Torpig records a user logging into his LinkedIn account. His profile presents him as the CEO of a tech company with a large number of professional contacts. Torpig also records the same user logging into three sexually explicit web sites." Most people think that their identity is private when surfing online, but if your machine gets infected with a virus or Trojan, all privacy goes out the window.

In their conclusions they state that while better relations between security researchers and domain registrars could help solve some of the problems, the issue is fundamentally a cultural problem, since many people use the same weak password for all of their online activities. Also, there needs to be better education about how to be safe online. "Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer." Of course, some of the criminals are getting pretty good at creating exploits that look legitimate. For instance, Torpig can be used to inject HTML forms into real banking webpages to create very legitimate looking exploits like the one shown here:


I come across these type of stories every once in a while, and they remind me to do simple things like periodically change the password to my email account and high security websites. This is something that everybody should do at least once a year, if not more frequent than that. When combined with a firewall, decent antivirus software, and safe browsing habits, changing your password periodically should help keep you from becoming a victim online.

No comments:

Post a Comment