Once upon a time, you could avoid malware by staying away from “seedy” websites. But the Torpig botnet—aka Sinowal, aka Mebroot—proved that even reputable business websites could be compromised and refer traffic to malicious download sites.
First spotted in late 2007, with widespread recognition in March 2008, Torpig targeted users’ financial information, such as bank account and credit card login credentials. In a 2009 paper, researchers from the University of California, Santa Barbara, detailed their 10-day takeover of Torpig, which greatly enhanced general understanding of botnet-style malware. Within the 10-day period, researchers documented more than 180,000 infected devices and an estimated 70 GB of stolen data. The data comprised more than 10,000 bank account and credit card numbers from multiple countries, as well as credentials for PayPal, eTrade and Poste Italiane.
The origins of Torpig
The #Torpig botnet proved that even reputable business websites could be compromised and refer traffic to malicious download sites. #botnet #malware #TechTimeWarp
What made Torpig so sophisticated was the dynamic nature of its redirects. Instead of referring users to a static domain, Torpig relied on a complicated three-part algorithm to generate new domains. Two of the algorithm elements were date-based, but the third was notoriously unpredictable: the second character of the search term currently most popular on Twitter.
The UCSB researchers noted that routine security patches provided the amplest protection from Torpig—but also that users weren’t very good at installing them.
Photo: Portrait Image Asia / Shutterstock