Hijacked botnet exposes startling online habits

 

Gallery

Posted on 5 May 2009 at 14:04

Researchers who hijacked a botnet for ten days earlier this year have revealed some startling information about the online habits of its victims.

In a research paper, the team from the University of California Santa Barbara explained how they took control of the Torpig botnet for ten days by exploiting a weakness in the way it contacts its command and control (C&C) server.

Torpig botnets generate a list of domains they plan to contact, with the C&C server hidden among them. The botnet then scours the domains until it identifies a valid control server. Once done it begins to download instructions.

However, not all of the domains the botnet generates are registered. By cracking the domain registration algorithm used by the botnet, the team were able to register their servers at potential domains. Then when the botnet came calling for new instructions, they simply identified themselves as the C&C server.

This tactic allowed them to hijack the botnet for ten days before the next update cut them off.

In that time, the researchers gathered some startling data. In all, the researchers counted more than 180,000 infected PCs collecting 70GB of information, including passwords and credit-card details.

More worryingly, also among the information obtained were the login details for 8,310 accounts at 410 financial institutions, including PayPal and Capital One.

The team also discovered that 28% of Torpig's victims reused their logins and passwords to access a total of 368,501 websites, making it a simple matter for scammers to break even further into their lives.

Through keyloggers and snooping software the botnet also recorded hundreds of email, forum and chat messages which "often contain detailed (and private) descriptions of the lives of their authors."

Online habits

The paper claims that by analysing 6,542 messages, the team discovered that "the victims of Torpig prepare for exams and worry about grades (5% of the messages), look for professional advice from doctors and lawyers (1%), play video games (2%), seek jobs and submit resumes (14%), are sport fans (6%), discuss money (7%), trade goods online (4%), exchange insults (0.1%) and look for sex or partners online (4%)."

The team notes that the majority of Torpig's victims had been compromised due to poorly patched software and "easily guessable passwords".

"Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behaviour when using a computer," it concludes.

Following the outrage over the decision to purchase a 22,000 machine botnet to highlight the risks of malware, the idea of researchers rooting through stolen personal data from over 180,000 machines seems unlikely to impress privacy advocates.

Author: Stuart Turton