Abhinandh

I recently came across this interesting video on YouTube – How to Steal a Botnet and What Can Happen When You Do. It’s a talk presented by Richard A.Kemmerer, one of the researcher at the UCSB and part of the team that took control of a part of torping botnet for 10 days. A botnet is a group of malware infected computers which are controlled remotely and often used to steal passwords and phishing. This talk outlines some of the basic terminologies of botnets, the way infection happens and the effects it causes.

The highlights of the torpig botnet include

• Contains a domain fluxing algorithm which changes the domain it connects to based on the time/date of the infected computer.
• It injects phishing pages into the browser and cannot be detected by any of the phishing tools.
• Torpig gets downloaded by Mebroot, which is the malware delivery platform.
• Mebroot make minimal changes to the infected computer and alters the master boot record (MBR) so that it gets started as soon as the PC boots.
• Mebroot uses an encryption algorithm that hasn’t been broken yet!
• Torpig, if used for a DDOS attack, the bandwidth would be about 17Gbps.

Direct URL: http://www.youtube.com/watch?v=2GdqoQJa6r4
For more info, see the paper “Your Botnet is My Botnet: Analaysis of a Botnet Takeover.”

The researchers drew a number of important conclusions by analyzing the data collected from torpig.

• Many people use same password on multiple domain names.
• Researchers converted the passwords in Unix format and tried to crack them with John the Ripper. 56,000 were cracked in less than 65 minutes using the default mode. Using a wordlist, 14,000 passwords were cracked in the next 10 minutes. And another 30,000 passwords were cracked in the next 24 hours. That’s 58% of all passwords cracked in 24 hours.
• Most of the passwords stolen were from various browsers’ password managers.

After 10 days, the bad guys pushed a new torpig binary using mebroot. It contained a new domain fluxing algorithm which now uses twitter’s popular topics to calculate the domain and hence is unpredictable.

Liked the post? Share and spread the love!