BackgroundBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims.
At the beginning of 2009, we took control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected.
UpdatesTorpig uses an increasingly popular technique to increase the reliability of its C&C infrastructure, which we term domain flux. With domain flux, each bot periodically (and independently) generates a list of domains that it contacts. The first host that sends a reply that identifies it as a valid C&C server is considered genuine, until the next period of domain generation is started (this is the same technique used recently by Conficker).
Torpig relies on domain flux not only for its main C&C servers, but also to generate the names of the drive-by-download servers that it uses to spread. In traditional drive-by-download attacks, the iframe or script tags reference a hard-coded domain to redirect the victim browser to a malicious webpage to start the attack. However, Torpig redirects victims to a malicious webpage by computing a pseudo-random domain name on-the-fly (seeded by the current date) using JavaScript code.
Continued @ The Computer Security Group at UCSB
Login
Register
FAQ
Search
Members
