Thursday, May 7, 2009

Spread of the Torpig Flu

The Computer Security Group at UCSB recently released a report, "Your Botnet is My Botnet: Analysis of a Botnet Takeover", in which the authors hijacked the Torpig botnet for 10 days (basically by registering a fake command and control server that the infected machines contacted). This is a fascinating read and highly recommended.

The report is downright scary. The sophistication and reach of the Torpig botnet is remarkable. It installs modules into many common applications (Web browsers, email clients, IM clients) and steals information including passwords, email account information, credit card numbers, and the content of any Web form filled out by a user. This latter is noteworthy as it includes a tremendous amount of sensitive information, including the content of emails that have been sent by users on infected hosts. The authors of the report went so far as to inspect some of the content captured by the botnet and found nearly 300,000 username/password pairs; credentials for some 8,000 bank accounts; and 1,600 credit card accounts. This information was captured from 180,000 infected machines, and it's worth keeping in mind this is only in the span of ten days.

Another remarkable aspect of Torpig is that in most cases the user would have no idea this information was being captured. Since the botnet hides itself deep into the lowest levels of the system software, even information sent to trusted websites over secure SSL connections can be stolen by the botnet.

I don't tend to follow malware developments very closely, but this is a pretty big departure from the days of Code Red -- defacing websites seems fairly pedestrian compared to Torpig, which is capable of global scale information theft (not to mention financial mayhem). Should I feel safe because I only use Mac and Linux machines?



No comments:

Post a Comment