Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world's most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days. During that time, Torpig bots stole more than 8,300 credentials used to login to …
Absolutely shocking, this is incredible.
You what? Password rotation makes little to no difference here.
This thing is reading the passwords directly, there's no cracking or guessing needed.
It's like a coroner doing an autopsy on a murder victim and testily observing that they didn't brush their teeth or clean under their nails.
Well done those researchers… and isn't THIS what the BBC should have waited for instead of hiring a botnet?
master boot record
I'm still puzzled that MBR is still so open and easy to attack .... can we finally have read-only boot partition which does not allow to load anything prior kernel?
The Interwebs are the Devil's work!
Behold, the wages of sin is the Interwebs!
Much better than the BBC
This is the sort of research that needs to be published. Listen up BBC, you don't have to go around compromising other PCs with botnets to get at the data....
Read only MBR
I was under the impression that a lot of BIOS allow you to set a "read only" MBR.
I've used it many times before, in fact I probably first came across it in the late 1980's.
As I recall it used to play havoc with certain DOS-based disk management software.
What's the best way to get an infection?
So there's 180,000 infected machines. I would be curious to know if they didn't have a firewall, operated as root, or if 180,000 users just had an irresistible penchant for clicking on mystery scripts.
I believe that most (or many at least) modern BIOSes offer an anti-virus feature that protects the master boot record, if you turn it on. Is yours turned on? The ordinary user won't know about this feature or how to use it. Some readers of The Reg are ordinary by this definition.
well where is the cure please
and yes jumper settings to read protect mbr please
180,000 infected PC's ?
I didn't realise you could infect a PC
Do you mean 180,000 infected operating systems? Are they Windows PC's by any chance?
Please report the facts
oh, is it a windows box? is it time for us to start on about how windows can be infected while rolling out that high horse of how my operating system's security can kick your system's security's arse?
and I bet the average reg reader knows its the software being infected, not the hardware.
Good to see the the people posting about about the MBR really have done there research and actually know what the MBR is used for, errrr emmm errrr yaaaaaaaaa!
> "The researchers infiltrated the network by registering one of the
> domains on the list and using it to seize control of the infected
> machines that reported to it."
Err, isn't this actually exactly the same as what the Beeb did, except that the Beeb paid the botnet herders for the machines, whilst this "research team from the UCSB" just pwned them themselves? Is that less illegal in the US than it would be here?
Re-use of Passwords... Whatever next!?
Of course people re-use their passwords!
I have loggons to so many minor websites that I can't remember a different password for each one (this comment included).
Who has a different password for each of the (low guess) 30+ websites that
a) you signed up to so see what the fuss was about (Faceless, twiddle, ect)
b) you had to sign up to just to leave a comment
c) you don't care who logs on as you as long as they pay for the pizza / shopping (they always ask for your card details)
Let alone the "Security" sites of Banks, investments, ISA's, before we even get to your workstation password that changes regularly and the various work related passwords (I have to enter five different passwords and use a Card and Pin to make a bank payment at work)
Hey, I could do it if I wrote it all down on a piece of paper (High chance of loosing it), wrote it in Excel and backed it up? (then I am in the same place) entered it into my Blackberry with yet another password protecting that (again high chance of loosing it)
What we need is a unique identifier, something that is difficult to forge, that people can't just copy easily, like a signiture.. Oh is that why I have a chip and signiture Credit Card?
Paris, as I feel real thick right now.
Re-use of passwords for the "real thick"
Either use a piece of software on your mobile phone, or, if you're capable of it, your brain, to modify a base password with some credentials from the name of the site you want to log into.
So a password "wallet" type program (I'm thinking similar to KDE's KWallet, Windows / LInux issues aside), would that be protected from this type of attack?
After all, you aren't typing in the passwords yourself and I can't see what use the passwords for a locally-held file would be to botnet barons.
@Scott Broukell and @Apocalypse Later
I know some BIOS have it (my older desktop does), I just got new ACER laptop and it does not have any MRB read-only option (I went through it like 5x).
I think this should be combination of hardware/software. Even whole kernel should be read-only or at least MD5 hashed. I don't think pure BIOS option is a solution (as we can see from this attach).
When can we finally get OS on the chip?
passwords for the "real thick" II
I had a user who had trouble remembering what day of the week it was, let alone a reasonably strong password. We compromised by a system in which half her password - the complex bit with random caps and numbers -was on a post-it note on her computer. The other half - name of a childhood teacher, pet or whatever, was stored in her tiny mind.
It was a very secure password, because unless the user was at the comp she didn't know the full password herself, and none of the other users of the office had the cracking ability, or the inclination, to try finding the missing half.
Wanna buy a cheap HD from the tat bazaar? How do you know it is not infected? How about that returned drive heavily discounted at the local computer store/front? Or the used PC "with XP Pro already installed"?!
Why don't the paranoid tote around Ironkeys or similar devices to help with the hundreds of passphrases we all seem to need? (well, OK, some of us do).
How about running a brouter with Ethereal to sniff the traffic and see who and what your PC is talking to? Wot? Too hard to dust off that worthless PC in the closet and pop in a couple of NICs and Linux?
Of course the botnets will flourish as long as net is infested with buffoons and ignoranti, at least that protects most people with even a hint of any sense. For now anyway.
Passwords for the "real thick" III
Multiple passwords are easy if you adopt a "convention" for creating them. For websites, as an example, you can just use the first six letters of the domain interlaced with ascending numbers: e.g. t0h1e2r3e4g5 for The Register. This way, you have an easily remembered password that's both unique to each site and a complete bastard to crack in every case. Alternatively, you can use the domain name with vowels replaced with numbers, 1337-speak style, like this: th3r3g1st3r. I myself adopted a similar type of convention that I use everywhere I go.
For mobile phones, Blackberries, PDAs and such items, you can do a similar thing using the device's brand name: e.g. n0o1k2i3a4 or n0k1a.
However you do it, the important thing is to adopt a specific convention and stick with it (and don't reveal what convention you actually use to anyone, just as you wouldn't reveal a password!). That way, you only have to remember the convention, not the password.
Of course, this doesn't defend you against keyloggers any better than using "password" as your password everywhere, but having a different password for every website prevents any particular site's operators/hackers from getting an idea of what you sign in to other websites with.
I can highly recommend KeePass for password management. I have recently started with it and as long as you have a secure enough master password you need never remember any other passwords again. I maybe preaching to the converted but this allows you to store your passwords in a secure file and to access the file you need the master password.
This has a couple of added benefits. One, you can create a different secure password for every website you visit without having to remember it. Two, you can avoid keyloggers by copying and pasting your password from KeePass to the password field.
I have encountered a few downsides. One is forgetting your master password. Two, saving your master password anywhere but your brain. That master password becomes super critical. Three, having to take KeePass with you when out and about on different machines. Four, if you are at a different machine that doesn't allow a portable USB device to be attached (for portable KeePass) you are a bit screwed.
Now, how do you get Joe Bloggs out on the street interested in this?