Researchers hijack Torpig botnet

The researchers from the University of California Santa Barbara were able to take over the 'Torpig' botnet and observe the data collected by the malware over the course of ten days.

In that time, researchers estimate that they collected some 70GB worth of uploaded information from roughly 180,000 infected machines. The harvested information included bank details and system information.

The researchers said that the key to hijacking the botnet was to take advantage of the malware's "domain flux" component, which generates a list of possible command servers to contact.

By cracking the algorithm used to generate the domains, the researchers were able to guess possible future domains and set up a phony command server.

Once the botnet was hijacked, the researcher spent ten days observing and gathering information on the botnet.

In that time, they were able to make several interesting observations.

In particular, the researchers noted that though just 180,000 systems had been infected, more than 1.2 million IP addresses were logged.

This, say the researchers, calls in to question the accuracy of measuring the size of botnets by number of IP addresses.

The researchers also found that Torpig collects far more than just bank and credit card details.

Data uploaded to the command server included user login credentials and email account data, suggested that the botnet could also be used for spamming runs.

In analyzing the infected machines researchers found that Torpig, like most malware, primarily preyed on poorly-patched machines and lax security practices to build the botnet.

"This is evidence that the malware problem is fundamentally a cultural problem," wrote the researchers.

"Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behaviour when using a computer."