Tuesday, November 17, 2009

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Botnets, networks of malware-infected machines that are controlled
by an adversary, are the root cause of a large number of security
problems on the Internet. A particularly sophisticated and insidious
type of bot is Torpig, a malware program that is designed to
harvest sensitive information (such as bank account and credit card
data) from its victims. In this paper, we report on our efforts to take
control of the Torpig botnet and study its operations for a period of
ten days. During this time, we observed more than 180 thousand
infections and recorded almost 70 GB of data that the bots collected.
While botnets have been “hijacked” and studied previously,
the Torpig botnet exhibits certain properties that make the analysis

of the data particularly interesting. First, it is possible (with reasonable
accuracy) to identify unique bot infections and relate that
number to the more than 1.2 million IP addresses that contacted our
command and control server. Second, the Torpig botnet is large,
targets a variety of applications, and gathers a rich and diverse set
of data from the infected victims. This data provides a new understanding
of the type and amount of personal information that is
stolen by botnets.....see PDF