Security Researchers Uncover 70GB of Financial Data Stolen by Botnet

Researchers at the University of California, Santa Barbara, say they seized control of the Torpig botnet for 10 days earlier in 2009 and uncovered 70GB worth of financial data, from credit card numbers to bank account credentials. Torpig, also known as Mebroot and Sinowal, has been called the stealthiest rootkit in the wild by security vendor Prevx.

Researchers at the University of California, Santa Barbara, have published a paper saying they turned up a treasure trove of stolen data after seizing control of a notorious botnet.

The team of researchers hijacked the Torpig botnet, (PDF) which they linked to the theft of some 10,000 bank accounts and credit card numbers during a 10-day period. According to the researchers, the compromised bots were used by cyber-thieves to steal as much as 70GB of data worth millions during that time frame.

Torpig, also known as Sinowal and Mebroot, has been dubbed by security vendor Prevx the "stealthiest rootkit in the wild today." Just recently, the group behind Torpig's proliferation updated the malware to make it even harder to detect.

According to the paper, the U.C. Santa Barbara team observed more than 180,000 bots over the span of roughly a week and a half.

"In 10 days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions," the team wrote. "The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), ETrade (304) and Chase (217)."

Also stolen were credit card numbers. The team extracted some 1,660 unique credit card and debit card numbers from the data that was collected. Through IP address geolocation, the team stated that some 49 percent of the numbers came from victims in the United States, while 12 percent came from Italy and 8 percent from Spain.

Using statistics on the value of stolen credit card and debit card information from Symantec as a base, the U.C. researchers estimated the Torpig controllers could have potentially pocketed as much as $8.3 million in that 10 days from sale of the stolen data.

There is also evidence that the botnet controllers rented out access to the network for a fee.

"If correct, this interpretation would mean that Torpig is actually used as a 'malware service,' accessible to third parties who do not want or cannot build their own botnet infrastructure," the researchers wrote.

The team of researchers said they stored the data and are working with law enforcement and ISPs to notify victims.

"This cooperation also led to the suspension of the current Torpig domains owned by the cyber-criminals," the researchers wrote.