Once upon a time, you could avoid malware by staying away from “seedy” websites. But the Torpig botnet—aka Sinowal, aka Mebroot—proved that even reputable business websites could be compromised and refer traffic to malicious download sites.
First spotted in late 2007, with widespread recognition in March 2008, Torpig targeted users’ financial information, such as bank account and credit card login credentials. In a 2009 paper, researchers from the University of California, Santa Barbara, detailed their 10-day takeover of Torpig, which greatly enhanced general understanding of botnet-style malware. Within the 10-day period, researchers documented more than 180,000 infected devices and an estimated 70 GB of stolen data. The data comprised more than 10,000 bank account and credit card numbers from multiple countries, as well as credentials for PayPal, eTrade and Poste Italiane.
The origins of Torpig
Torpig earned its “Mebroot” alias as a rootkit that infects the master boot record (MBR), which loads before the computer’s operating system and is thus more difficult for security systems to scan. Users picked up Mebroot on Javascript-compromised websites that led them to centralized download servers, which then infected devices with the botnet. The botnet gave Mebroot’s creators control over an infected computer and the ability to harvest data from it in 20-minute increments.
What made Torpig so sophisticated was the dynamic nature of its redirects. Instead of referring users to a static domain, Torpig relied on a complicated three-part algorithm to generate new domains. Two of the algorithm elements were date-based, but the third was notoriously unpredictable: the second character of the search term currently most popular on Twitter.
The UCSB researchers noted that routine security patches provided the amplest protection from Torpig—but also that users weren’t very good at installing them.
Photo: Portrait Image Asia / Shutterstock
