Your Botnet is My Botnet

Taking over the Torpig Botnet

Description

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. At the beginning of 2009, we took control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected. Torpig uses an increasingly popular technique to increase the reliability of its C&C infrastructure, which we term domain flux. With domain flux, each bot periodically (and independently) generates a list of domains that it contacts. The first host that sends a reply that identifies it as a valid C&C server is considered genuine, until the next period of domain generation is started (this is the same technique used recently by Conficker). Torpig relies on domain flux not only for its main C&C servers, but also to generate the names of the drive-by-download servers that it uses to spread. In traditional drive-by-download attacks, the iframe or script tags reference a hard-coded domain to redirect the victim browser to a malicious webpage to start the attack. However, Torpig redirects victims to a malicious webpage by computing a pseudo-random domain name on-the-fly (seeded by the current date) using JavaScript code. A recent update to this algorithm is particularly interesting. Similarly to the previous version, the new algorithm uses the current date to generate the drive-by-download domain. However, the new algorithm also relies on search trends from Twitter to generate one additional seed byte. More precisely, the algorithm fetches the URL http://search.twitter.com/trends/weekly.json?callback=c&exclude=hashtags. This URL returns a JSON object that contains trends for searches on twitter, organized by date. The algorithm gets the trend data for either two or three days before the current date (depending on the current weekday), and extracts the second character from the first data item. For example, to determine the domain active on 4/27, the algorithm uses the trends for 4/25. On 4/25, the most popular search was "TGIF", so the letter 'G' is used. The letter extracted from the trend data is then used to calculate a "magic number", which is used to compute the domain name. You can find the full unobfuscated version of the algorithm on Wepawet.

Publications

2011 (1 publication)

Analysis of a Botnet Takeover B. Stone-Gross, M. Cova, B. Gilbert, R. Kemmerer, C. Kruegel, G. Vigna IEEE Security and Privacy Magazine, 2011, vol. 9, no.1 BibTeX PDF (1.3 MB)

2009 (1 publication)

Your Botnet is My Botnet: Analysis of a Botnet Takeover B. Stone-Gross, M. Cova, B. Gilbert, L. Cavallaro, C. Kruegel, M. Szydlowski, G. Vigna, R. Kemmerer Proceedings of the ACM Conference on Computer and Communications Security (CCS 2009) BibTeX PDF (921.8 KB)

Research topics

People involved

Faculty

Post-doctoral Researchers

PhD Students

Last update
Sept. 24, 2011, 2:09 p.m.