Torpig: The most advanced pieces of crimeware ever created, Part 1

A group of researchers from the University of California, Department of Computer Science, Security Group made a comprehensive research[must read] about what is known to be "The most advanced pieces of crimeware ever created".

Torpig worth a lot of attention from the community so I decided to write two posts about Torpig.

part 1 will be just an overview about how Torpig works, and most importantly part 2 which will discuss the weaknesses of the Torpig and raise the question of "If this malware were designed without these weaknesses -I'll suggest how-. How can good guys defeat it"

Torpig is a sophisticated malware program that is designed to harvest sensitive information (such as banks account and credit cards data) from the machines it infects.

What is very unique about this malware is its ability to spread, collect sensitive information from infected machines and communicate with the botmaster to provide him with the collected data.

First, let's start by understanding how this malware works -according to the paper-.

* The malware spread using different techniques (drive-by download).

The fact here that we have at least 182,800 infected machines and the number is increasing

* The downloaded executable acts as an installer for Mebroot. The installer injects a DLL into the file manager process (explorer.exe), and execution continues in the file manager’s context.

This makes all subsequent actions appear as if they were performed by a legitimate system process. The installer then loads a kernel driver that wraps the original disk driver (disk.sys). At this point, the installer has raw disk access on the infected machine. The installer can then overwrite the MBR of the machine with Mebroot. After a few minutes, the machine automatically reboots, and Mebroot is loaded from the MBR.

* The malware gather sensitive information using a lot of techniques (e.g. gather all web traffic made by the infected machine, use phishing attacks for banks and major financial sites (PayPal), email clients, instant messengers, etc)

* The malware uses the "domain flux" (periodically generate a large list of domain names infected machines are to report to)

well this is how generally Torpig works, please refer to the paper to get more details about it. and follow the next post that will discuss the weaknesses of Torpig and how it could have been mitigated.