Researchers at the University of California, Santa Barbara, say they seized control of the Torpig botnet for 10 days earlier in 2009 and uncovered 70GB worth of financial data, from credit card numbers to bank account credentials. Torpig, also known as Mebroot and Sinowal, has been called the stealthiest rootkit in the wild by security vendor Prevx.
Researchers at the University of California,
Santa Barbara, have published a
paper saying they turned up a treasure trove of stolen data after seizing
control of a notorious botnet.
The team of researchers
hijacked the Torpig botnet,
(PDF) which they linked to the theft of some
10,000 bank accounts and credit card numbers during a 10-day period. According
to the researchers, the compromised
were used by cyber-thieves to steal as much as 70GB of data
worth millions during that time frame.
Torpig, also known as Sinowal and Mebroot, has been dubbed by security
vendor Prevx the "stealthiest
in the wild today." Just recently, the group behind Torpig's
proliferation updated the malware to make it even harder to detect.
According to the paper, the U.C. Santa Barbara team observed more
than 180,000 bots
over the span of roughly a week and a half.
"In 10 days, Torpig obtained the credentials of 8,310 accounts at 410
different institutions," the team wrote. "The top targeted
institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One
(314), ETrade (304) and Chase (217)."
Also stolen were credit card numbers. The team extracted some 1,660 unique
credit card and debit card numbers from the data that was collected. Through IP
address geolocation, the team stated that some 49 percent of the numbers came
from victims in the United States,
while 12 percent came from Italy
and 8 percent from Spain.
Using statistics on the value of stolen credit card and debit card
information from Symantec
as a base, the U.C. researchers estimated the Torpig
controllers could have potentially pocketed as
much as $8.3 million
in that 10 days from sale of the stolen data.
There is also evidence that the botnet
controllers rented out
access to the network for a fee.
"If correct, this interpretation would mean that Torpig is actually
used as a 'malware service,' accessible to third parties who do not want or
cannot build their own botnet infrastructure," the researchers wrote.
The team of researchers said they stored the data and are working with law
enforcement and ISPs to notify victims.
"This cooperation also led to the suspension of the current Torpig
domains owned by the cyber-criminals," the researchers wrote.