Skip to content

Analysis of Botnet Takeover

Hi I’m Korey Murphy,and I am going to be discussing what Torpig  Botnets are and what they do.

The article is brings attention to a problem with a piece of Maleware called Torpig botnet. It is used by cyber criminals to harvest data from it’s victims like bank account and credit card information. Torpig uses Mebroot rootkit to buy pass security systems like Firewall. Mebroot isn’t bad on it’s own but it provides generic platform that installs, uninstalls, and activates other modules like DCC.

Torpig is distributed as a part of Mebroot. Mebroot is a rootkit that takes control of your machine by replacing it’s Master Boot Record (MBR). It infects the computer while it’s booting up. Victims are infect through drive-by-download attacks when a person goes on a vulnerable website and updates. It can remain undetectable by timestamping it self into pre-exsisting files  and  contacting the it’s C&C server in two hour intervals to potentially receive more updates. Torpig relies on complex network infrastructure to infect machines, retrieve updates, perform active phishing attacks, and send it’s stolen information to its C&C server.

Botnets have located their C&C server hosts through IP addresses, DNS names, or node identifiers in peer-to-peer overlays. Torpig uses do must influx that uses a domain generation algorithm to compute a list of domain names. Botmasters use Mebroot domain to upgrade, remove, and install new maleware components that criminals control tightly. Once it is in it can steal history from it’s victim.

Data items sent to our C&C server by torpig bots. The items Form Data, Email, Windows password, POP account, HTTP account, SMTP account, Mailbox account, and FTP account. Torpigs size is determined by how many bots there are and how they attack computers. It goes after information that is easy to monetize in the underground market, particularly financial information such as bank account and credit-card numbers. These will be the target of phishing attacks.

The Torpig Botnet is always changing as people start catching on to how to get rid of them. It has improved it’s man-to-browser functionality using a modified version of Sizzle JavaScript Library, to hide fraudulent transactions when a victim logs into a compromised account. It allows the criminal enough time to transfer money out until he or she is noticed. These botnets are form of larceny that strikes like a ninja from the trees in the dead of night. Undetected, silent, and swift.

One thing that did surprise me is how easy it is to get infected by botnets. All it requires is to be on an unprotected website and then it latches on to the your files and stays there without being noticed. It is a special leach that steals in silence and it is very sophisticated as it knows how to stay undetected. It comes and goes and takes the information it came for with the victim being none the wiser.

The new term I learned was C&C server.It stands for command and control, and  they are centralized machines that are able to send commands and receive outputs of machines part of a botnet. The attacker can give instructions to perform an attack on a particular target, or any infected machines communicating with the contacted C&C server will comply by launching a coordinated attack.

Chapter 11 Phishing e-mails relates to my article because that is what Torpig does. It is designed information like identity. It picks on targets that it can monetize for the underground market.


{B. Stone-Gross and M. Cova and B. Gilbert and R. Kemmerer and C. Kruegel and G. Vigna}, title = {{Analysis of a Botnet Takeover}}, journal = {IEEE Security and Privacy Magazine}


Hello world!

Welcome to! This is your very first post. Click the Edit link to modify or delete it, or start a new post. If you like, use this post to tell readers why you started this blog and what you plan to do with it.

Happy blogging!