User:Stacksth/torpig

Torpig, also known as Sinowal or Anserin (mainly spread by Mebroot rootkit), is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows. Torpig circumvents anti-virus applications through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

Torpig was created before mebroot, but started using mebroot as a base for software maintenance and stealth when it became available. When windows Vista/7 came out the creators of torpig where forced to detach torpig from mebroot since it(mebroot) only worked under Windows XP. Therefore a new version of torpig was created, as a DLL only usermode version in June 2011. Though a new variety of torpig has emerged that once again implements the mebroot architecture.

In early 2009, a team of security researchers from University of California, Santa Barbara took control of the botnet for ten days. During that time, they extracted an unprecedented amount (over 70 GB) of stolen data and redirected 1.2 million IPs on to their private command and control server. The report goes into great detail about how the botnet operates.

Functionality

 * Turns off anti virus applications
 * Allows others to access the computer
 * Modifies data on the computer
 * Steals information like user/passwords from browser and email, certificates, and banking information
 * Drops more malware

Infection Vectors
The trojan is known to be bundled with Mebroot and distributed through it, although not limited to it.

It also infects its hosts using a number of different methods that are well-known threats.

Communication

 * Uses domain flux to communicate with command and control servers

Symptoms
Some symptoms might be a sluggish machine, popups during browsing and emails being sent without your knowledge.

But it is likely there will be any symptoms of the infection during normal use.

Propagation
Torpig does not self-replicate, it needs to be spread manually, often using rootkits like Mebroot.

Prevention

 * Have fully updated anti-virus software
 * Ensure operating system is fully updated

Recovery/Cleanup
To recover from an infection the following steps should be made: For more detailed instructions, please read these articles from Symantec and Sophos
 * Disable System Restore (Windows Me/XP).
 * Update the virus definitions.
 * Run a full system scan and delete all infected files.
 * Delete the value that was added to the registry.

Since this specific trojan is well known to be distributed with the rootkit Mebroot, steps should be made to ensure that the machine is not infected by that aswell.

Status
Torpig is still active and in control of cyber-criminals

Public Efforts
A group of researchers at the University of California-Santa Barbara boldly hijacked a notorious botnet known for stealing financial information and discovered that the botnet is even more dangerous than had been thought. Researchers at the University of California at Santa Barbara have published a report (PDF) that exposes details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it's stealing. The researchers seized control of the botnet for 10 days in late January, after which Torpig's operators reclaimed it.

The report can be found here: http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

Affiliation
Torpig is closely affiliated with the rootkit Mebroot. Mebroot is known to distribute Torpig during infection, and is often categorized as being the same piece of malware.