Researchers Hijack a Botnet

A bunch of researchers at the University of California Santa Barbara took control of a botnet for ten days, and learned a lot about how botnets work:

The botnet in question is controlled by Torpig (also known as Sinowal), a malware program that aims to gather personal and financial information from Windows users. The researchers gained control of the Torpig botnet by exploiting a weakness in the way the bots try to locate their commands and control servers—the bots would generate a list of domains that they planned to contact next, but not all of those domains were registered yet. The researchers then registered the domains that the bots would resolve, and then set up servers where the bots could connect to find their commands. This method lasted for a full ten days before the botnet’s controllers updated the system and cut the observation short.

During that time, however, UCSB’s researchers were able to gather massive amounts of information on how the botnet functions as well as what kind of information it’s gathering. Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using “simple replacement rules” and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information. The researchers noted that they were able to read through hundreds of e-mail, forum, and chat messages gathered by Torpig that “often contain detailed (and private) descriptions of the lives of their authors.”

Here’s the paper:


Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected. While botnets have been “hijacked” before, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. This shows that botnet estimates that are based on IP addresses are likely to report inflated numbers. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of information from the infected victims. This opens the possibility to perform interesting data analysis that goes well beyond simply counting the number of stolen credit cards.

Another article.

Posted on May 11, 2009 at 6:56 AM21 Comments


bonz May 11, 2009 7:29 AM

UCSB’s security group is consistently incredible. They’re also the ones who poked all those holes in voting machines (and youtubed it), and also won ctf at defcon a few times.

Mat May 11, 2009 7:30 AM

I’m curious why the researchers didn’t attempt to destroy the botnet after the fact. Certainly they knew that it wouldn’t do anyone any good to perpetuate it.

Marq May 11, 2009 8:01 AM

“and cut the observation short.”. I’m taking that as they didn’t get chance to do all they wanted.

Tynk May 11, 2009 8:17 AM

It could be a few reasons. Of course as Marq noted, they simply could have ran out of time.
But you also have the possible mind set of a Researcher that does not directly interfere with it’s subject, or of course the gray legal line of “accessing unauthorized computer systems”. While the computers were initiating contact and they were only retrieving the data that was sent to them could be construed as legal. Once they interfere in the actions of systems that they do not have direct authority to access things could get a bit murkier.

Again, just some options, not saying any of those are actually, or even legitimate concerns.

Derob May 11, 2009 8:35 AM

@ Tynk et. al,

If I read well they say in the article that they are afraid to change the behavior of the botnet from trying to alter it and subsequently causing failure of infected systems (they mention Hospital systems as example)

Mjc May 11, 2009 8:55 AM

Intervention in the botnets operation could have had unexpected side-effects, especially when the “mebroot” component (installed in the MBR) has the potential to prevent the OS booting. The headlines could well have read “University of California Santa Barbara’s control of Botnet nukes 180,835 computers…”

In a similar experiment the “BBC Click” programme in the UK opted to change the Desktop wall-paper of the infected computers, alerting the owner to the infection and offering advice on curing the problem.

It’s not unreasonable to assume that the UCSB researchers could have done something similar had the Botnet’s masters not intervened with the mebroot’s C&C server (which they still controlled).

Ralph May 11, 2009 9:29 AM

The interesting part of this research is that the team has collected enough data to gain insights that were impossible without taking over the botnet’s command and control server. Well one of them, as obviously the new technique of using different CC servers allows to separate a part of the botnet from the other CC servers by sending the victims the proper responses.
Interestingly the takeover was assisted by the DoD, FBI and various ISPs, so that it’s likely to be more of a supervised activity than a pure, independent research effort.
Let’s hope that the data gathered will be used to gain an unequalled understanding of the internal mechanisms that botnets use to be able to implement effective means of defense.

Karl May 11, 2009 10:31 AM

Will we ever see smart card authentication replace passwords? I would love to have the option to do that. I already carry credit/debit cards everywhere I go, it would be so worth the tradeoff to carry just one more card and know only one password…

-ac- May 11, 2009 11:23 AM

I would like to see a university program work on a package to deploy to systems via a captured botnet to somewhat safely sanitize the zombie pc/server. A lot of research is in studying the malware, what is being done to facilitate the cure?

Tynk May 11, 2009 11:33 AM

The cure, much like most security issues, is training and cultural changes.
Forcefully correcting systems could lead to any number of data corruptions on the infected machines, an informational message to the infected devices would be safer and in the “give a man a fish” theory more beneficial to the end users in the long run.

Steven Hoober May 11, 2009 2:41 PM

The cure, much like most security issues, is training and cultural changes.

Interesting philosophical discussion. Is that true?

Sure, preventative medicine is good (and cheap, and all that) but what if every doctor you went to told you to suck up that cancer cause you shoulda stayed away from risk factors, handily outlined in this phamplet. Now, in the future, please remember this.

Same for machinery that is poorly PM’d. We don’t scrap everything on principle, but fix it. IS there a plausible /theory/ of mass inoculation for computers/networks even?

Tynk May 11, 2009 5:52 PM

@Steven Hoober
Interesting, but both of your examples fit.
If you get a virus, or cancer, you go to the doctor and they do what they can to fix you, on your way out they tell you how to try and prevent it from happening in the future. Stop smoking, lose wait, eat better, exercise more.

And my understanding is that when ever you buy machinery you receive a manual detailing proper procedures to allow your machine to last longer with out problems. They tell you to change your oil, we tell them to run a virus scan every day/week/month. They tell them not to smoke, we tell them not to open links in emails…

Same thing. Train a person who to live healthy, they live longer. Train a person to keep their car maintenanced they get to drive it longer. Train a person to tred safely on the internet, they keep their computer running safely longer.

old guy May 11, 2009 6:05 PM


I think the cost of smart cards still might out weigh the cost of compromised systems, though some institutions are issuing them for their systems. I have read engineers looking at a different Internet have proposed a Single Sign On ID.

PackagedBlue May 11, 2009 8:44 PM

Would be interested in reading good comments on hopefully neat article of NSA vs West Point “hack test.”

See slashdot on todays date, for article links.

My comment, sorry west point, but this type of security, Fedora 8, MySQL, Apache, FreeBSD routers, is LAME.

Any stock *BSD will get owned hard by NSA, and even good hackers, it just costs $! One would expect that NSA can do any scripted up BSD on most hardware very fast.

Hardware sure matters a lot, especially when you have seen some weird stuff before.

Jonathan Wilson May 12, 2009 1:39 AM

I think that the idea of replacing the desktop background of infected machines with a warning that the machine is infected and details of how to clean it up is good.

David May 12, 2009 12:16 PM


Right now, I’m carrying several cards that can be used for things like cleaning out my checking account and getting me into other trouble. However, I know a few things, like PINs and passwords, that can be used to restrict what can be done.

If I carry another card in my wallet, enabling all the current ones to be used to their fullest without any restriction, I’m in real trouble if I lose my wallet.

Mr E May 12, 2009 3:43 PM


Astroturfing for microsoft I guess?

I seriously doubt a stock OpenBSD system will get owned just like that. Is it possible? Of course, as most things in computers are. However blanket statements that are seriosly bent, have no facts and are prmarily designed to promote FUD about open source seriously undermine your effort.


Bob May 15, 2009 10:17 AM

… replacing the desktop background of infected machines with a warning that the machine is infected and details of how to clean it up …

Unfortunately, a variation of this technique is already being used by hackers who put some code on web pages that tell the user that their system is infected, and points them to a site where they can purchase a “spyware, and virus removal” program. Unfortunately, this program, when run actually infects the system… (sigh)

So, how is the user to know if this is a fake, or actual “you are infected” message?!?

Vance May 16, 2009 1:08 AM

I only skimmed the paper, but was a bit surprised not to see a note that the study had been approved by a Human Subject Review Board or similar. Is it not standard practice to have an ethics review of such research in advance, especially given the private and sensitive nature of the data expected to be collected?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.