University of California researchers take over Torpig botnet to reveal number of IPs controlled is vastly overrated

News by Dan Raywood

A team at an American university has been able to take over control of the Torpig botnet

A team at an American University has been able to take over control of the Torpig botnet.


The team at the University of California Santa Barbara took over the Torpig botnet by sneakily claiming the domain name that was the next in line to be the command-and-control server.


Writing on his personal blog Dr Boaz Gelbord, executive director of information security at Wireless Generation, claimed that the Torpig botnet uses an increasingly popular technique where client machines try dialling into a set of pre-determined domain names and accept the first server to respond as the botmaster.


As the UCSB researchers took over the Torpig botnet, they found that the botmasters behind Torpig had not claimed all the domain names that their victims were meant to dial into, either to save money or because they did not see this coming.


This meant that the UCSB team found itself in control of a botnet with hundreds of thousands of hosts. This allowed it to reveal that the problem of botnets is not as bad as previously thought, as previous studies have counted IP addresses rather than actual hosts when estimating the size of a botnet.


In the botnet the UCSB team analysed, they counted 182,900 hosts versus 1,247,642 IP addresses, with evidence suggesting that IP addresses generally over count actual machines.

The authors claimed that the ‘victims of botnets are users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites'. They also claimed that this was evidence that the malware problem is fundamentally a cultural problem.


The report said: “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behaviour when using a computer.


“Therefore, in addition to novel tools and techniques to combat botnets and other forms of malware, it is necessary to better educate the internet citizens so that the number of potential victims is reduced.”


It also concluded that interaction with registrars, hosting facilities, victim institutions and law enforcement is ‘a rather complicated process'.


The report said: “In some cases, simply identifying the point of contact for one of the registrars involved required several days of frustrating attempts. We are sure that we have not been the first to experience this type of confusion and lack of coordination among the many pieces of the botnet puzzle.


“However, in this case we believe that simple rules of behaviour imposed by the US government would go a long way toward preventing (or sanctioning) obviously-malicious behaviour. Even though botnets are a global problem, the United States could effectively enforce rules of behaviour that might make it harder for the botmaster to use the nation's cyber infrastructure with impunity.”


Gelbord said: “Regulatory measures will not completely address the botnet issue, but would potentially significantly change the risk/time-invested/reward ratio. Botnets take a high degree of technical expertise to set-up and are of only limited value. A tighter regulatory regime could significantly reduce the incentive for botmasters.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews