Case Study: Building Ethical Judgment Capabilities: Your Botnet is My Botnet: Analysis of a Botnet Takeover

Nature and Details of the Case Study

This study reports the efforts by eight researchers (Stone-Gross Brett, Cavallaro Lorenzo,
Gilbert Bob, Szydlowski Martin, Kemmerer Richard, Kruegel Christopher, and Vigna Giovanni)
to capture and control the Torpig (Anserin or Sinowal) botnet and examine its operations for ten
days. A botnet is a network of malware-infected machines often operated by cybercriminals with
the intention of stealing sensitive information, including financial details like bank account
details or security details. Torpig is a particularly insidious and complex malware program (bot)
designed to retrieve sensitive data (credit card and bank account details) from victims (Stone-
Gross et al., 1).
During the ten days, the researchers (principal actors) collected and observed data from
over 180,000 infected victims’ machines while recording over 70 GB of information the Torpig
botnet had gathered. The victims, in this case, refer to individuals whose computers were
unknowingly attacked by the Torpig malware. According to the IEEE, the Torpig trojan mainly
affects the victims via drive-to-download attacks. In these types of attacks, webpages on genuine
and legitimate but susceptible websites are adjusted by including HTML tags that prompt the
browsers of the victims to request the JavaScript code from a website controlled by the attackers
(3). The JavaScript code initiates several exploits against the victim’s browser and some of its
elements, including plugins and Active X controls. For successful exploits, executables are
downloaded to the servers (drive-by-download) to the victim’s computer, which is then executed.
This executable download to the victim’s machine is responsible for installing Mebroot and
injecting a DLL into the file manager, service control manager, and other apps, including

3
browsers (Opera, Firefox, and Microsoft Internet Explorer), email clients (Eudora, Outlook, and
Thunderbird), FTP clients, instant messengers (ICQ and Skype), and other system programs.
Torpig collects sensitive information from victims through phishing attacks.
In analyzing the botnet’s footprint, the researchers began by counting the ‘nid field’ that
the malware sends in its submission header. This allowed them to identify each Torpig bot
uniquely and accurately. Besides the nid, the researchers also used ver, bid, cn, and os to identify
infected machines correctly. In their data analysis, the researchers identified that over 410
financial institutions (online trading platforms, banks, and investment firms) and 8,310 accounts
were targeted by the Torpig malware in the US (60 institutions and 4,287 accounts), Italy (34 and
1,459), Denmark (122 and 641), Spain (18 and 228), Poland (14 and 102), and others (162 and
1,593). The top five targeted institutions include Chase Bank (217), E-Trade (304), Capital One
(314), Poste Italiane (765), and PayPal (1,7700) (Stone-Gross et al., 1).
A significant proportion (28%) of the sensitive victim financial information stolen by the
botnet was retrieved from browser password managers instead of intercepting login sessions.
This is because Torpig leverages various data formats to upload hijacked credentials from
multiple sources. By geolocating IP addresses, the researchers established that the most
significant proportion of card theft victims were from the US (49%), followed by Italy (12%) and
Spain (8%). The most common cards attacked were Discover (24), Maestro (36), American
Express (81), Master Card (447), and Visa (1,056).
Ethical Principles: Supporting and Contradicting the Actions of the Principal Actors
When collecting their data, the researchers (principal actors) were cautious with the
information gathered and the commands rendered to infected hosts. They operated their C&C
servers based on the established ethical and legal principles. They specifically protected their

4
victims (research participants) based on two established principles: (1) the sinkhole botnet must
be operated to minimize any potential target attacks or damage/harm to the victims, and (2) the
sinkhole botnet must gather adequate data to allow remediation and notification of affected
parties. In compliance with the first principle, the researchers answered with an ‘okn’ when the
bot contacted their server and never sent new configuration files with a unique HTML injection
server IP address. For principle two, the researchers collaborated with internet service providers
(ISPs) and security agencies, including the FBI and US Department of Defense cybercrime units,
to assist with this effort. These actions protected the sensitive information of victims (Dittrich et
al., 1).
The only undoing when it comes to applying the two principles is the failure of the
researchers to delete data from servers regularly (this led to the delisting of the Torpig domain
owned by the criminals due to security concerns). Furthermore, the researchers did not store data
offline in an encrypted format. Finally, they failed to work with the security departments of the
financial institutions (victims).

Justification for the Actions of the Principal Actors

I agree with the two decisions (operating the sinkhole botnet to minimize any potential
target attacks or damage/harm to the victims and gathering adequate data to allow for
remediation and notification of law enforcement agencies and ISPs) by the researchers because
of the need to protect participants/victims from potential harm, as exposing their credentials
might increase their vulnerability to cybercriminals operating the Torpig botnet, and the need to
improve security and vigilance. For instance, responding with an ‘okn’ message when contacted
by the bot ensured that the bots only maintained contact with the researchers’ servers instead of
the servers of the financial institutions and other potential victims. Working with ISPs and law

5
enforcement agencies like the DoD and the FBI cybercrime units ensured adequate surveillance
and security measures were in place to protect victims.

6

Source List

1. Stone-Gross Brett, Cavallaro Lorenzo, Gilbert Bob, Szydlowski Martin, Kemmerer
   Richard, Kruegel Christopher, and Vigna Giovanni. 2009. Your Botnet is My Botnet: An
   Analysis of a Botnet Takeover. Conference: Proceedings of the 2009 ACM Conference on
   Computer and Communications Security, CCS 2009, Chicago, Illinois, USA.
   https://www.researchgate.net/publication/221609438_Your_botnet_is_my_botnet_Analys
   is_of_a_botnet_takeover
2. Dittrich David, Leder Felix, and Werner Tillmann. 2010. A Case Study in Ethical
   Decision Making Regarding Remote Mitigation of Botnets. Conference: Financial
   Cryptography and Data Security, FC 2010 Workshops, RLCPS, WECSR, and WLC 2010,
   Tenerife, Canary Islands, Spain.
   https://www.researchgate.net/publication/220797066_A_Case_Study_in_Ethical_Decisio
   n_Making_Regarding_Remote_Mitigation_of_Botnets
3. IEEE. 2011. Analysis of a botnet takeover.
   https://sites.cs.ucsb.edu/~chris/research/doc/spmagazine11_torpig.pdf