In their research, experts from the Computer Security Group of the University of California at Santa Barbara (UCSB) were able to take over the Torpig botnet for ten days. The resulting report shows that during the period of observation, the Torpig Trojan was able to steal 8,310 accounts from 410 different financial institutions and establishments, and even account details of 1,660 credit cards.

Torpig, also known by its alternate name Sinowal, is a banking Trojan that has been active for three years and is considered one of the most resilient and advanced malware active. It is distributed by a rootkit known as Mebroot, which installs itself inside a machine’s Master Boot Record (MBR), making it harder to detect with traditional antivirus software, which runs on a higher level than the MBR.

A particularly advanced technique performed by Torpig is called a domain flux, where the malware generates a list of domains every so often with an algorithm in each machine infected. Torpig would then regularly attempt to connect with the domains in the list in an attempt to connect with a command and control server. The researchers at UCSB were able to hijack the Torpig botnet by exploiting this feature – they had previously registered some of the domains in the generated list and hijacked the botnet, before the owners were able to regain control after ten days.

Although experts believe the primary operation of Torpig’s operators is to victimize financial institutions and their customers for profit, Torpig also performs identity theft on the machines it infects. The malware is capable of logging in user input from browsers like IE, Firefox and Opera, email applications such as Outlook or Thunderbird, and even instant messengers including ICQ and Skype.

Torpig can also perform phishing attacks on the local machine, injecting malicious forms in legitimate website as the page is being loaded on the browser. Sensitive financial information is often targeted and users can easily fall pray to these attacks, as these forms can be injected even during SSL-secured sessions.

The researchers were able to collect 70GB of data during the study and an estimated 182,200 bots connected to their hijacked domain. However, researchers believe that the true size of the botnet cannot yet be inferred from this number.

They also concluded from the varying build names attached to certain information that the operators of Torpig may be offering their services and the data they collect to other criminal organizations wishing to gain access to personal and financial information. They inferred that these build names may be representative for each “customer” who avails their services.