Hubbry Logo
TorpigTorpigMain
Open search
Torpig
Community hub
Torpig
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Torpig
Torpig
Torpig
View on Wikipedia
from Wikipedia

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

By November 2008, it was estimated that Torpig had stolen the details of about 500,000 online bank accounts and credit and debit cards and was described as "one of the most advanced pieces of crimeware ever created".[1]

History

[edit]

Torpig reportedly began development in 2005, evolving from that point to more effectively evade detection by the host system and antivirus software.[2]

In early 2009, a team of security researchers from University of California, Santa Barbara took control of the botnet for ten days. During that time, they extracted an unprecedented amount (over 70 GB) of stolen data and redirected 1.2 million IPs on to their private command and control server. The report[3] goes into great detail about how the botnet operates. During the UCSB research team's ten-day takeover of the botnet, Torpig was able to retrieve login information for 8,310 accounts at 410 different institutions, and 1,660 unique credit and debit card numbers from victims in the U.S. (49%), Italy (12%), Spain (8%), and 40 other countries, including cards from Visa (1,056), MasterCard (447), American Express (81), Maestro (36), and Discover (24).[4]

Operation

[edit]

Initially, a great deal of Torpig's spread was attributable to phishing emails that tricked users into installing the malicious software. More sophisticated delivery methods developed since that time use malicious banner ads which take advantage of exploits found in outdated of versions of Java, or Adobe Acrobat Reader, Flash Player, Shockwave Player. A type of Drive-by download, this method typically does not require the user to click on the ad, and the download may commence without any visible indications after the malicious ad recognizes the old software version and redirects the browser to the Torpig download site. To complete its installation into the infected computer's Master Boot Record (MBR), the trojan will restart the computer.[2]

During the main stage of the infection, the malware will upload information from the computer twenty minutes at a time, including financial data like credit card numbers and credentials for banking accounts, as well as e-mail accounts, Windows passwords, FTP credentials, and POP/SMTP accounts.[4]

See also

[edit]

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Torpig

View on Grokipedia
from Grokipedia
Torpig, also known as Sinowal or Anserin, is a sophisticated botnet designed to harvest sensitive information from infected computers, including banking credentials, details, accounts, and FTP login data, making it one of the most advanced pieces of developed in the late 2000s. It operates by infecting systems through the Mebroot , which overwrites the (MBR) to achieve persistence and evade detection, while the Torpig module injects dynamic-link libraries (DLLs) into running applications such as web browsers (e.g., and ), clients (e.g., Outlook), and FTP software to intercept and steal user data in real-time. The botnet employs a (DGA) for command-and-control (C&C) communications, generating thousands of potential domains daily based on the system date to resist takedown efforts, supplemented by hardcoded backup domains like rikora.com. Torpig spreads primarily via drive-by-download attacks on compromised legitimate websites, exploiting vulnerabilities in browsers through malicious that downloads and installs Mebroot, which then deploys Torpig without user interaction. Once active, it facilitates attacks, particularly targeting financial websites by modifying web forms and capturing keystrokes, enabling cybercriminals to siphon funds directly from victims' accounts. A notable event in Torpig's history occurred in early 2009, when security researchers from the , and other institutions hijacked the botnet's C&C infrastructure for 10 days (January 25 to February 4), redirecting bots to their own servers and collecting over 70 GB of stolen data from 182,800 unique infections across 1.2 million IP addresses, including 8,310 financial accounts and 1,660 numbers, highlighting the botnet's massive scale and the potential for profits estimated between $83,000 and $8.3 million on underground markets. The ended when the operators updated Torpig's DGA on February 4, 2009, restoring their control and underscoring the challenges in dismantling such resilient networks.

Overview

Description

Torpig, also known as Sinowal or Anserin, is a modular kernel-mode -based primarily designed to target Windows systems for the theft of financial data and credentials. It operates through the Mebroot , which establishes persistence by infecting the (MBR) and loading malicious modules into the operating system kernel. These modules, typically in the form of dynamic-link libraries (DLLs), are injected into targeted applications such as web browsers, clients, and FTP programs to intercept and exfiltrate sensitive information. The primary function of Torpig involves credential theft via (MitB) attacks, where it modifies web pages in real-time to capture banking details, numbers, and credentials without alerting the user. Infected machines form part of a that communicates with command-and-control (C&C) servers using a (DGA) to evade detection and receive updates or new payloads. This architecture enables the botnet to harvest vast amounts of data, including form submissions and addresses, which are then uploaded to the attackers' infrastructure. Torpig's modular design supports the addition of plugins for extended functionality, such as enhanced keyloggers or specialized form grabbers tailored to specific financial institutions. First detected in February 2006 by security researchers, it represented an advanced evolution in banking trojans at the time, with ongoing variants developed to counter antivirus defenses.

Key Features

Torpig distinguishes itself through sophisticated stealth mechanisms that enable it to persist undetected on compromised systems. The , delivered via the Mebroot , overwrites the (MBR) of the hard drive, positioning its code to execute prior to the operating system's boot process. This pre-OS loading allows Torpig to into kernel-level functions and evade most antivirus scanners, which typically operate within the OS environment and fail to inspect or remediate MBR modifications. A core element of Torpig's resilience lies in its use of a domain generation algorithm (DGA) for command-and-control (C2) communications, designed to withstand takedown attempts like domain sinkholing. The DGA produces thousands of potential domain names daily and weekly, derived from the current date combined with a secret parameter known only to the botnet operators; infected machines systematically query these domains until connecting to the legitimate C&C server. This fluxing technique ensures operational continuity even if individual domains are seized or blocked. Torpig's modular design further enhances its adaptability and effectiveness as a botnet platform. The Mebroot rootkit serves as a foundational loader that dynamically injects Torpig modules—typically DLLs—into targeted applications such as web browsers, email clients, and FTP software upon user interaction. These modules enable specialized functions, including the theft of banking credentials, credit card details, and browser-stored data, as well as the distribution of spam or additional payloads, allowing operators to update capabilities remotely without reinstalling the core malware. While primarily targeting Windows operating systems through exploits in and other vulnerabilities, Torpig's architecture demonstrated broad adaptability in compromising 182,800 unique infections across 1,247,642 IP addresses worldwide at its observed peak in 2009, highlighting its capacity for large-scale, persistent infections across diverse network environments.

History

Origins and Early Spread

Torpig, also known as Sinowal, was first observed in the wild in 2005 as a modular with capabilities designed primarily for information theft. Its development is attributed to unknown cybercriminals, with strong indications of Russian origins due to associations with underground networks like the . Early versions of the malware built upon existing techniques, later incorporating the Mebroot bootkit for enhanced stealth, allowing it to persist at the level and evade detection. Initial dissemination occurred through drive-by downloads from compromised websites and trojanized applications, often targeting users in via malicious redirects on legitimate sites. campaigns also played a role in early infections, luring victims with emails containing links to infected downloads disguised as software updates or financial alerts. These methods enabled gradual spread, focusing on European users before expanding slightly to North American targets. The malware was first publicly analyzed in February 2006 by RSA's FraudAction Research Lab, which identified it as a sophisticated banking Trojan capable of capturing credentials during web sessions. Antivirus firms, including F-Secure, soon followed with detections and reports, classifying variants like Sinowal.cp as password-stealing threats active since late 2006. From inception through 2008, Torpig's botnet remained relatively contained, primarily aimed at stealing data from financial institutions in the US and Europe.

Peak Activity and Scale

By late 2008, the Torpig had reached a significant scale, with estimates indicating it controlled approximately 1.2 million unique IP addresses worldwide, reflecting the extent of active infections across compromised systems. This growth was accompanied by the theft of credentials from approximately 300,000 online bank accounts, along with a comparable number of credit and details, totaling over 500,000 stolen financial credentials, marking Torpig as one of the most prolific data-harvesting operations at the time. The botnet's expansion during this period was primarily driven by drive-by downloads from compromised legitimate websites, which exploited vulnerabilities in widely used software such as Java Runtime Environment, , and Adobe Acrobat Reader, allowing silent infections without user interaction. Torpig's reach extended to 43 countries, with particularly heavy concentrations of infections and data theft in the United States, , and , where dynamic IP allocation practices influenced the observed bot density—for instance, German hosts showed a higher ratio of IP addresses per machine compared to the U.S. The malware targeted credentials from 410 distinct financial institutions, including major entities like , , and Chase, underscoring its focus on high-value economic targets across international banking networks. During monitoring in early 2009, researchers observed over 1.2 million unique IP connections in just ten days, with a median of around 49,000 concurrent bots, illustrating the botnet's operational intensity and sustained activity through 2010. The economic ramifications of Torpig's peak operations were substantial, with fraud losses estimated in the millions of dollars stemming from the exfiltration of financial data, including documentation of over 1,660 unique and numbers from various issuers like Visa and . These figures, derived from captured stolen data, highlighted the 's role in enabling widespread financial , though exact totals were challenging to quantify due to the underground nature of the exploitation. While activity peaked in 2009, the began to decline in the early , with limited re-emergences observed around 2012. Overall, Torpig's scale during this era demonstrated the evolving threat of persistent, stealthy s in compromising global financial infrastructure.

Technical Operation

Infection Mechanisms

Torpig primarily infects victim systems through attacks, where attackers compromise legitimate websites and modify them to exploit vulnerabilities in users' browsers or plugins, automatically downloading the without user interaction. These exploits often target unpatched software, such as vulnerabilities in the Java Runtime Environment. Once triggered, the downloaded executable serves as an installer for the Mebroot , the core component that delivers Torpig. Phishing emails represent another key vector, with attackers sending deceptive messages containing malicious links or attachments that direct users to compromised sites or prompt direct downloads of the trojan. These emails often masquerade as urgent notifications from banks or trusted entities, exploiting social engineering to increase click-through rates and initiate the infection chain leading to Mebroot deployment. Torpig is also propagated through a variety of trojan horses bundled with seemingly legitimate software, including cracked games and pirated applications distributed on underground forums or file-sharing networks. Users seeking free or unauthorized copies of popular software inadvertently install the bundled Mebroot loader, which facilitates the rootkit's integration into the system. Following initial download, the Mebroot component establishes boot-time infection by overwriting the (MBR), the critical sector on the hard drive that executes first during system startup. This modification allows Mebroot to load before the operating system, injecting Torpig modules into running processes and ensuring persistence across reboots while evading detection by standard antivirus scans.

Rootkit and Persistence

Torpig employs the Mebroot , a sophisticated kernel-mode driver that establishes deep persistence on infected Windows systems by system calls and intercepting disk operations. Once installed, Mebroot loads early in the boot process, providing the malware with privileged access to hide its presence and activities. The rootkit specifically targets the (IDT) and Inline Hooking mechanisms to intercept calls such as INT 13 for boot operations, allowing it to patch the OS loader () and modify critical kernel structures like near the IoInitSystem function. This enables Mebroot to filter and alter responses from system queries, concealing Torpig's files, processes, registry entries, and network traffic from detection tools. A core persistence technique involves infecting the (MBR), where the installer overwrites the MBR on the first 16 drives with malicious code, storing the payload in unused sectors (e.g., sectors 60-62) and post-disk slack space marked by a unique signature like DWORD 0xAD022C83. Upon reboot, this modified MBR executes before the Windows kernel loads, granting Mebroot raw disk access through a wrapped kernel driver that emulates disk.sys. To maintain stealth, Mebroot hooks I/O Request Packet (IRP) handlers in disk.sys for read and write operations, returning falsified data—such as a clean MBR—to scanning utilities while preserving the infection. Later variants enhance this by hooking the entire MajorFunction table in drivers and deploying a watchdog thread to restore any tampered hooks, ensuring long-term survival even against kernel-level forensics. Mebroot incorporates anti-analysis features to neutralize security software, including the disablement of antivirus programs and Windows Defender by interfering with their event hooks and monitoring APIs, such as restoring or overriding SetWinEventHook to prevent real-time scanning. In user mode, the rootkit injects DLLs into over 30 processes, including browsers and email clients like explorer.exe and services.exe, using Asynchronous Procedure Calls (APCs) to enable stealthy operations such as API hooking for keystroke logging without alerting the host application. These injections occur polymorphically with anti-emulation tricks, such as interspersed NOP instructions in boot code, to evade debuggers and virtual environments. For adaptability, Torpig's bots periodically download encrypted modules from command-and-control servers, with Mebroot querying for updates every two hours via custom HTTP communications protected by SHA-1-based encryption, while the full Torpig checks in approximately every 20 minutes to receive new components or confirmations. These modules, stored encrypted in the system32 directory with randomized extensions, allow dynamic reloading without disk writes in plaintext, minimizing forensic footprints and enabling rapid evasion of emerging defenses.

Botnet Architecture

Command and Control

Torpig employs a centralized (C2) architecture primarily based on HTTP communications between infected bots and operator-controlled servers. Every 20 minutes, each bot initiates an HTTP request to a designated C2 server to stolen credentials and other harvested , while also polling for updates. This regular heartbeat allows operators to maintain oversight and issue directives efficiently across the . To disseminate commands, the C2 server responds to bot queries with either a simple acknowledgment ("okn") or a configuration file ("okc") encoded via base64 and XOR obfuscation. These configuration files specify operational parameters, such as adjusted reporting intervals, lists of backup C2 servers, and instructions for tasks like phishing campaigns, including target domains and injection scripts for man-in-the-browser attacks. Operators can further direct bots to download modular payloads—such as spam engines or additional stealers—from registered domains controlled by the botnet herders, enabling dynamic adaptation without recompiling the malware. For resilience against takedowns, Torpig integrates a domain flux mechanism rather than traditional fast-flux DNS, generating a list of potential rendezvous domains using a based on the current date. Bots sequentially query these fluxed domains (e.g., weekly .com variants like "dw.com") until reaching an active C2 server; if all fail, the bot falls back to a small set of hardcoded domains embedded in its binary or prior configurations. This approach distributes the points of failure across multiple domains, complicating disruption efforts by researchers or authorities. Although primarily HTTP-based, the system lacks propagation for commands, relying instead on direct bot-to-server interactions for coordination.

Domain Generation Algorithm

Torpig employs a deterministic (DGA) to produce (C&C) domains, allowing infected hosts to locate operator-controlled servers while evading efforts. The algorithm is seeded with the current date and a fixed numerical (p=8), ensuring that every bot generates an identical sequence of domains for any given date without relying on hardcoded values. This synchronization enables reliable C&C communication across the , as all machines attempt connections to the same potential rendezvous points in the same order. The process begins by computing a weekly base domain from the current year and week number (in YYYY-WW format), which remains constant throughout the week and is appended with three top-level domains (.com, .net, .biz) for connection attempts. If these fail, the bot generates a daily variant by applying a pseudo-random hashing function to the date components (month, day, year), incorporating a routine and predefined suffix arrays (such as "anj" or "ebf") to derive the . This hashing produces a unique daily domain, again tried with the same three TLDs, before falling back to a small set of hardcoded domains. The deterministic nature of the hashing guarantees consistency across bots, while the date-based seeding shifts the generated list periodically to thwart proactive blocking. The DGA's design prioritizes evasion by requiring operators to register only a of the generated domains opportunistically, as bots systematically the full ; defenders must anticipate and block all to disrupt communication, a challenging task given the algorithm's predictability for bots but opacity to outsiders. For instance, inputs like the 2009-12 week might yield base domains structured around hashed year-week values, resulting in outputs such as "chaymxanj.com" for daily , which operators could then claim for C&C hosting.

Data Theft and Exploitation

Targeted Data Types

Torpig primarily targets financial credentials through its form-grabbing capabilities, intercepting data entered into forms, including usernames, passwords, and transaction details from institutions such as and various banks. It captures credit and debit card numbers by monitoring HTTP and traffic, focusing on high-value and payment portals to enable fraudulent transactions. In addition to financial data, Torpig steals personal identifiers like email passwords, FTP login credentials, and browser-stored , which facilitate and unauthorized access to victim accounts. The also extracts credentials for other protocols, including POP3 (for retrieval), SMTP (for sending), and HTTP authentication, often collecting these from infected machines' clients and browsers. This selective targeting prioritized credentials with immediate monetary value, such as those for , over general system files.

Exfiltration Methods

Torpig bots buffer stolen data locally on the infected system in hidden files within the rootkit's stealth mechanisms, retaining it until a successful connection to the command-and-control (C2) server is established. This temporary storage ensures that collected information, such as credentials and form data, is not lost during periods of network unavailability, allowing for queued uploads during subsequent check-ins. The primary transmission occurs through encrypted HTTP POST requests sent every 20 minutes to C2 servers hosted on domains generated by Torpig's (DGA). The request URL incorporates a unique hexadecimal bot identifier for tracking, while the body contains the buffered along with metadata like timestamps and details in a submission header. To secure the , Torpig employs a simple scheme: the header and body are XOR-encrypted using an 8-byte key derived from the bot's identifier, followed by encoding to disguise the traffic as benign HTTP communication and evade basic network filters. If the DGA-generated domains are unreachable, Torpig falls back to predefined daily domains (e.g., variations of "dd.com") and, ultimately, hardcoded domains embedded in its configuration file, attempting reconnections at the regular 20-minute intervals to upload the queued data. This resilient design minimizes by persisting the buffered information locally until transmission succeeds, without relying on sharing among bots.

Research and Disruption

2009 Hijacking Experiment

In early 2009, researchers from the (UCSB), led by Brett Stone-Gross and colleagues including Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna, conducted a takeover experiment on Torpig. By reverse-engineering the botnet's (DGA), they predicted and registered the command-and-control (C&C) domains that Torpig bots would attempt to contact, preempting the operators who typically registered them shortly after generation. This allowed the researchers to redirect infected machines to a controlled server under their operation, effectively hijacking the C&C infrastructure without altering the bots themselves. The takeover lasted 10 days, from January 25 to February 4, 2009, during which approximately 182,000 unique Torpig bots—representing the botnet's footprint—were redirected to the . Over this period, the researchers collected nearly 70 GB of stolen data that the bots had previously gathered from victims, including 11,966,532 form data items and 297,962 unique credentials. Among the most sensitive findings were credentials for 8,310 unique accounts across 410 financial institutions, such as 1,770 accounts and 765 from , as well as 1,660 unique credit or numbers. These insights revealed the scale of Torpig's data theft operations and the geographic distribution of infections, with a significant portion originating from the and . Ethically, the experiment was designed to avoid harm to victims, as the did not issue commands to bots or access victim systems beyond capturing exfiltrated data already in transit. The researchers shared the collected credentials with affected financial institutions to enable account securing and remediation, and provided infrastructure details to agencies to disrupt the operators. However, the unilateral hijacking sparked broader debates in the cybersecurity community about the legitimacy of "" research tactics, including risks of unintended consequences and the need for standardized ethical guidelines in studies.

Later Monitoring and Decline

Following the 2009 hijacking experiment, Torpig variants continued to circulate, demonstrating resilience through mutations that evaded some detection mechanisms. In early 2010, Fortinet's threat landscape analysis reported the 's re-emergence, accounting for 30% of new activity detected during a 30-day period, primarily originating from infected machines in and . By 2013, identified Torpig as one of the most persistently active banking trojans, leveraging its advanced capabilities to maintain infections despite ongoing security efforts. Security researchers and antivirus vendors conducted sustained monitoring of Torpig's evolution, focusing on its adaptations to countermeasures. Firms like Symantec, which classified the under names such as Anserin, documented variants and infection patterns in security advisories, enabling signature updates to detect mutated payloads. No large-scale takedowns occurred post-2009, though researchers explored additional sinkholing techniques similar to the initial takeover, such as exploiting domain generation weaknesses, to redirect and observe bot traffic without fully dismantling the infrastructure. Torpig's prominence waned in the mid-2010s due to several interconnected factors enhancing endpoint defenses. The rollout of Secure Boot in operating systems like (2012) and later versions blocked unauthorized bootloaders and rootkits, directly countering Mebroot's persistence mechanisms by verifying integrity during startup. and other vendors also patched critical exploits, including those in and used for drive-by downloads, reducing infection vectors. Concurrently, cybercriminals shifted focus to mobile platforms, where Android and ecosystems offered new opportunities for distribution, diminishing investment in legacy PC botnets like Torpig. As of 2023, USTelecom's analysis indicated that Torpig Mebroot accounted for 56% of botnet detections amid a 25% overall rise in activity, likely reflecting lingering infections rather than widespread new campaigns. By 2024–2025, Europol's major disruption operations, such as Operation Endgame, targeted emerging threats like dropper and loaders but made no mention of active Torpig infrastructure, signaling its effective marginalization in the contemporary threat landscape. In 2024, a decline in traditional s was observed, including the disappearance of Torpig Mebroot, likely due to enhanced mitigation efforts and possible takedowns.

Impact and Legacy

Stolen Data Statistics

By late 2008, Torpig was estimated to have compromised credentials for approximately 500,000 online bank accounts and credit and debit cards, marking it as one of the most prolific data-stealing operations at the time. In a 2009 research-led hijacking of the botnet's infrastructure, investigators monitored activity for 10 days and collected 70 GB of stolen from 182,800 unique infected machines. This haul included 8,310 unique credentials to 410 different financial institutions and 1,660 unique credit and debit card numbers, with victims distributed across 43 countries. The stolen data encompassed a broad range of sensitive information, with form submissions—often containing financial details—totaling over 11.9 million items, alongside 1.26 million addresses, 1.24 million Windows passwords, 411,000 HTTP credentials, 415,000 POP accounts, and smaller volumes of FTP and SMTP logins. Approximately 38% of the credentials extracted from browser password managers pertained directly to .
Data TypeNumber of Items
Form data11,966,532
Email addresses1,258,862
Windows passwords1,235,122
POP accounts415,206
HTTP accounts411,039
SMTP accounts100,472
Mailbox accounts54,090
FTP accounts12,307
Victims were predominantly from English-speaking regions, particularly the , which accounted for 49% of the compromised credit cards; other significant shares came from (12%) and (8%). Affected financial institutions included U.S.-based entities such as (1,770 accounts), (314 accounts), (304 accounts), and Chase (217 accounts), as well as international ones like Italy's (765 accounts).

Broader Implications

The Torpig botnet's operations enabled substantial financial fraud, with analysis of stolen data revealing credentials for over 8,310 accounts at 410 financial institutions and 1,660 credit or debit card numbers collected in just 10 days, valued on underground markets at between $83,000 and $8.3 million depending on for accounts ($10–$1,000 each) and cards ($0.10–$25 each). Extrapolating this rate across the botnet's multi-year activity underscored the potential for losses in the tens of millions, driving financial institutions to bolster defenses against credential theft. Torpig's sophisticated , which infected the to evade traditional antivirus scans, highlighted vulnerabilities in early boot processes. This stealthy persistence also highlighted vulnerabilities in operating system safeguards. The 2009 academic hijacking of Torpig sparked significant legal and ethical debates about researcher interventions in operations, particularly regarding potential liability under the (CFAA) for unauthorized access to infected systems or redirected traffic, even when intended to aid victims and . Private researchers, unlike government agencies, faced heightened risks of prosecution for actions like sinkholing domains without explicit authorization, prompting calls for clearer guidelines and institutional oversight to balance innovation with legal compliance. As a pioneering example of a rootkit-based focused on financial , Torpig demonstrated the profound risks of pre-OS infections, shaping strategies for disrupting similar networks like , whose takedowns in 2010 relied on comparable exploitation and sinkholing techniques to redirect bot traffic and notify victims. Its legacy endures in cybersecurity , emphasizing the need for collaborative efforts between academia, industry, and authorities to address evolving botnet resilience and user concerns.

References

  1. https://dl.acm.org/doi/10.1145/1653662.1653738
  2. https://sites.cs.ucsb.edu/~chris/research/doc/ccs09_botnet.pdf
  3. https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal
  4. http://news.bbc.co.uk/2/hi/technology/7701227.stm
  5. https://www.europol.europa.eu/cms/sites/default/files/documents/banking_trojans_from_stone_age_to_space_era.pdf
  6. https://www.theregister.com/2008/10/31/torpig_banking_trojan/
  7. https://www.isg.rhul.ac.uk/sullivan/pubs/tr/torpig.pdf
  8. https://www.cnet.com/news/privacy/1-trojan-3-years-500000-online-financial-accounts/
  9. https://archive.f-secure.com/weblog/archives/VB2007_TheTrojanMoneySpinner.pdf
  10. https://sites.cs.ucsb.edu/~chris/research/doc/spmagazine11_torpig.pdf
  11. https://www.bankinfosecurity.com/rsa-report-500000-banking-ids-stolen-a-1041
  12. https://www.symantec.com/content/en/us/about/media/pdfs/underground_econ_report.pdf
  13. https://www.darkreading.com/cyber-risk/fortinet-torpig-botnet-re-emerges
  14. https://blogs.k-state.edu/it-news/2010/03/02/torpig-malware-threatens-k-staters-bank-account-information/
  15. https://www.f-secure.com/v-descs/rootkit-boot-mebroot.shtml
  16. https://archive.f-secure.com/weblog/archives/Kasslin-Florio-VB2008.pdf
  17. https://www.cs.umd.edu/class/fall2023/cmsc614/papers/torpig.pdf
  18. https://seclab.cs.ucsb.edu/files/publications/Stone-Gross2011Analysis_of.pdf
  19. https://www.cs.hunter.cuny.edu/~spock/pubs/dbd2009tr1-revised.pdf
  20. https://www.sciencedirect.com/science/article/abs/pii/S1361372309700739
  21. https://www.secureworks.com/research/top-banking-botnets-of-2013
  22. https://www.intel.com/content/dam/develop/external/us/en/documents/sf11-efis001-100-820238.pdf
  23. https://koreascience.kr/article/JAKO201531736516053.page
  24. https://ustelecom.org/research/botnets2024/
  25. https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem
  26. https://newsletter.radensa.ru/wp-content/uploads/2024/10/Marlink-Global-Maritime-Cyber-Threat-Report-H1-2024.pdf
  27. https://www.theregister.com/2008/10/31/sinowal_trojan_heist/
  28. https://www.nyulawreview.org/wp-content/uploads/2018/08/NYULawReview-90-2-Zeitlin.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.