2

I am responsible for the oversight of the LAN at a college campus. Recently we started getting blacklisted by CBL because someone on our LAN is infected with Torpig (AKA Anserin). The suggestion from CBL includes monitoring connections to an IP address range. However, we don't see this traffic going out. It looks like this only happens to us once in a while (it has been a month since the last incident). Is there a way for me to scan machines to detect the presence of Torpig? I can't seem to find any tools that do this reliably. I would even be willing to scan for specific files, registry entries, etc.

Here is the CBL message we get:

This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.20.214.121, with contents unique to Torpig C&C command protocols.

Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.

Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).

With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.

The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 91.20.214.121, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections to the range 91.19.0.0/16 and 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-07-21 12:42:02 (GMT - this timestamp is believed accurate to within one second).

Community
  • 1
IAmTimCorey
  • 203
  • 3
  • 12
  • 1
    which part of those instructions that you've quoted aren't clear to you? if you're not already auditing traffic destined for those specified subnets on those specified ports, start doing it. – Olipro Jul 21 '11 at 17:54
  • @Olipro - the part that isn't clear is that "we don't see this traffic going out"! We are monitoring that traffic but we don't see it. We would like to actually be a bit more proactive and find the offending machine(s) instead of waiting for them to broadcast again, especially since we have gone a month between detections. – IAmTimCorey Jul 21 '11 at 17:57
  • ...where on your network and how are you looking for the traffic? – Bart Silverstrim Jul 21 '11 at 17:58
  • @Bart - I'm not sure what you mean by "where on your network". We aren't sure where on the network the issue is. We are looking for the traffic on our edge firewall, which controls all of our incoming and outbound traffic. – IAmTimCorey Jul 21 '11 at 18:25
  • That's what I meant...where you looking at the edge router, a firewall, etc...if you're looking at the edge router and searching for the traffic at that point, you should be able to filter traffic or set up an alert at that choke point. It's possible you're not seeing it because it's not there. What port(s) does torpig use, do you know? – Bart Silverstrim Jul 21 '11 at 19:00
  • @Bart - That is part of the problem - it uses different ports and different IP addresses to communicate to. The ones listed above are the known ones but they change. That is why I am looking to proactively find the infected machines instead of waiting to listen for them to broadcast since I am not positive I'll catch them broadcasting (there doesn't seem to be any set signature that doesn't change). – IAmTimCorey Jul 21 '11 at 21:31
  • @anonymous - not sure what the downvote was for. Do you mind sharing? I don't see any solutions yet for proactively identifying computers affected with torpig, so I don't think it can be for asking a bad question. – IAmTimCorey Jul 21 '11 at 21:47
  • @BiggsTRC: drive-by downvoting doesn't always make sense and often never gets an explanation. I do wish more people who downvote would clarify why. – Bart Silverstrim Jul 22 '11 at 11:13
  • As for the Torpig finding, do you have information on what it does? Is it exclusively hitting specific outgoing IP's that you could block, or does it broadcast data? We found some malware simply because it was hitting our proxy with a virtual ton of addresses that were very unusual traffic patterns. Using something like SNORT or other IDS inside your network might catch anomalous traffic. Also, do you have SNMP monitoring on your routers to monitor for unusual traffic patterns? – Bart Silverstrim Jul 22 '11 at 11:13
  • @Bart - the last paragraph (as vague as it is) is the best explanation I can find of how to identify it and so far it isn't working for us. Its like the offending machine is off or not on our network anymore. That is why I'm looking for a more direct way to identify the infected machine (through some sort of scan, not by analyzing the traffic). – IAmTimCorey Jul 22 '11 at 14:15

1 Answers1

1

Most malware discovery advice is focused on getting users to run security checks on their computers...you don't mention your exact circumstances, but it sounds like you're running a school network of some kind? Which of course adds a wonderful layer of head-slapping to address the issue as it will cause all sorts of added frustration.

So the first approach to try is education of users. Posters, announcements, etc. Of course most users will probably ignore this, but it can raise awareness. Seeing as Torpig apparently disables AV software, make users aware of the effects of this malware (stealing bank information) and give links to online scanners and sponsor handing out burned discs of bootable malware detection software, or sponsor campus virus-checking events with IT to go to dorms and scan or bring laptops to a location for free malware checking. With appropriate waivers for responsibility of the effects of wiping malware off, of course.

Next I'd investigate the routers. Decent routers should have the ability to report network traffic via SNMP, and you can check them for unusual traffic patterns. You should be able to tell when there are unusual spikes in traffic or check for anomalies, and some software may be able to alert you to unusual activity. Some bosses may see this as a waste of time, checking over reports and status of equipment that seems to be working fine. In my opinion it is never a waste to be familiar with how things run; sometimes you know your car is going to have issues because something doesn't "feel right" or "sound quite right," the same goes with your network.

Do you proxy your traffic? What are you using for proxy? We had a FreeBSD Squid box for awhile that caught malware infection on a user's computer because I noticed something odd in the ARP tables originating from that user's workstation; his malware was broadcasting all sorts of IP's trying to hit other targets within our own network and it was showing up in my status checks on the proxy server health.

Torpig apparently uses HTTP commands to connect to control points. The proxy may help in that as well, if it's logging activity. If you can find some of the IP's that torpig connects to, you may be able to grep your logs for connections from XYZ machine to lock it down really quickly. Proxies that filter should also be able to automatically block the traffic from reaching the C&C servers as well.

Reading an analysis of the bot may help give you some ideas. See http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf for a study on the malware's behavior.

Another thing to try; email other universities that have this issue and ask them what they're doing to detect the traffic. See an example of someone advertising that they're analyzing student traffic and see if you can contact their IT people; they'll most likely be willing to share hints. http://cnc.ucr.edu/security/announcements/2010_03_04_mebroot.html

Honeypots...I wouldn't be against putting this in your network just because it sounds like you have students and computers you can't control. Stick a few honeypots on the network, see what hits it gets. I don't know if torpig will be detected with it, but you'll probably find it useful to have for other malware; stick SNORT or other IDS on it and check up on it frequently (and email you alerts).

The last thing you might consider, but this is entirely dependent on your situation, is running something like SAINT or Nessus on your network to check machines for vulnerabilities. This could be a big drain on your network resources, however, and some people probably won't appreciate their machines being scanned and you may have issues if this isn't spelled out in policy. Also it depends on the size of your network.

There are tools that can keep you apprised of what's on your network such as spice network's tool and LanSweeper.

Other than that all I can think of off the top of my head is to run a full audit of all servers that you DO have some control over on the network, run the vulnerability framework tools against them to audit for possible security issues, and tighten your border routers to restrict all outgoing ports that aren't necessary for users to have outgoing traffic from so you can restrict activity from malware on unusual ports. At a minimum you might want a machine or appliance that monitors for unusual activity from odd ports and have it sent alerts for you to follow up on and contact other IT departments in other schools similar to yours to see how they address this issue.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
  • according to that paper @Bart linked, it seems Torpig opens an HTTP and SOCKS proxy on the local system. Try running a widespread nmap scan where you think it's most likely? Of course, that'll take time. but if you split it up and run it on many machines simultaneously.... socks and http proxies aren't too common. – Michael Lowman Jul 22 '11 at 17:24