A handful of academic researchers recently completed another thorough and fascinating report about Torpig: “Taking over the Torpig Botnet“. Torpig is an especially evil little piece of Crimeware. Over the past couple of years, ThreatFire has been preventing fairly high numbers of Torpig/Sinowal/Anserin infections all over the world, keeping this bank account and credit card number snorting nastiness penned up.
One of the more interesting updates from the report about new versions of the bot is its use of Twitter trend data in generating url data in its fast flux domain algorithm: “A recent update to this algorithm is particularly interesting. Similarly to the previous version, the new algorithm uses the current date to generate the drive-by-download domain. However, the new algorithm also relies on search trends from Twitter to generate one additional seed byte. More precisely, the algorithm fetches the URL http://search.twitter.com/trends/weekly.json?callback=c&exclude=hashtags. This URL returns a JSON object that contains trends for searches on twitter, organized by date. The algorithm gets the trend data for the day before yesterday (4/25 in our case) and extracts the second letter from the first data item (for 4/25, it was “TGIF”, so it gets ‘G’). This letter is then used to calculate a “magic number”, which is used to compute the domain name as shown in the screenshots below.”
This morning, ThreatFire made bacon of another attempted Torpig infection, also detected as Trojan.Anserin, Troj/Torpig-Gen, and Trojan-Spy.Win32.Small.dg. That’s one less infection that will not be added to the 180,000 infections that the researchers observed in a 10 day period, because TF prevented its associated BoF exploit targeting none other than Adobe Acrobat v8.0. One of the first things that the delivered spyware performs is to infect the system’s Mbr, and ThreatFire prevents its raw disk write to DeviceHarddisk0DR0.
ThreatFire prevents multiple behaviors of this guy on a daily basis.
The site itself, defaptgvif.com, continues to serve up exploits. Do not visit the site.