Global
SecureWorks Provides Free Security Tool to Incident Responders to Battle Info-Stealing Trojan, Torpig
Atlanta, October 5, 2008. - SecureWorks ®, one of the leading Security as a Service Providers (SaaS), announces the availability of Untorpig, a free tool designed to help incident responders when dealing with infections from Torpig, one of the most widely used Trojans designed to steal financial data.
Torpig is an advanced Trojan also known as Anserin, Sinowal, or Xorpig, It has been integrated with a sophisticated rootkit called Mebroot, making it nearly impossible to detect.
The Torpig Trojan can be used to perform post-authentication, man-in-the-middle (MitM) content manipulation attacks. Basically, this allows the Trojan to change anything transmitted between a web browser and a web server in any HTTP session, even those encrypted by TLS/SSL. This capability is often used in difficult-to-detect phishing attacks. Torpig also steals passwords, logs keystrokes, tracks web browsing, and sniffs key personal information such as usernames, passwords, credit card numbers, social security numbers, and other sensitive data entered into secure web sites. Torpig encrypts the stolen data before sending it out to the attacker.
Torpig infections, especially those protected by the Mebroot rootkit, can be nearly impossible to detect with traditional anti-virus technology. However, they are easily identified by network IDS and IPS systems. Once identified, bootable rescue discs using anti-virus and anti-rootkit products can be used to disinfect PCs. In order to develop an efficient incident response to a Torpig infection, it is also important to be able to decrypt the data so that one can tell what information was stolen or exposed.
SecureWorks' Research Team, the Counter Threat Unitâ„ , obtained samples of the Torpig Trojan and reverse engineered the encryption algorithm. The result of this applied malware research is a tool called Untorpig. Untorpig can read logs of Trojan activity and reverse the encryption, allowing incident response personnel to see what sensitive information the Trojan actually delivered to the attacker's server.
Although the encryption and decryption algorithms have since been published, decrypting the data has been primarily a manual process, the work limited to one host and one encryption key at a time. Untorpig is designed to assist incident responders in the automation of this process.
Features of Untorpig
The key features and benefits include:
1. Automated key recovery. Torpig changes encryption keys and hides that information in various ways. Untorpig will attempt to locate and test for valid encryption keys from various sources in the log data and change keys as necessary to decrypt all of the stolen data.
2. Flexible input formats. Untorpig can automatically handle Torpig HTTP traffic logs in various formats. These include plain text logs from web proxies/filters, or packet captures (pcaps) from IDS/IPS devices or collected with network sniffing tools such as Wireshark. The log files can contain HTTP requests only or complete session information, including request-response pairs. The tool comes with a sample input file illustrating an acceptable format.
3. Combined log handling. Untorpig can decrypt data in aggregate logs. For example, if logs from twenty infected workstations are all stored in one file on a web proxy, Untorpig can decrypt data from all twenty infected hosts in a single pass.
"The Torpig Trojan is notorious for stealing financial data and is behind some of the most successful hacking schemes ever launched. Torpig is extremely sophisticated, down to encrypting the data it steals," said Don Jackson, Director of Threat Intelligence for SecureWorks. "With Untorpig, incident responders will have an automated process for quickly decrypting the data it has stolen, thus allowing security professionals to implement protective measures in an expedient manner. It is critical, once a Torpig infection is detected, that you ascertain the information compromised and if needed change usernames, passwords, close out accounts, implement fraud alerts, etc, "continued Jackson. "Hopefully, this tool will go a long way to combating the damage that can be caused by Torpig infections."
Untorpig is free software being released under the GPL version 3 license. It is available as a download from the Security Tools page under the Research section of the SecureWorks web site. http://www.secureworks.com/research/tools/untorpig/
About SecureWorks
With over 2,000 clients, SecureWorks is one of the market's leading Security as a Service providers. Organizations are protected from external and internal cyber-threats through SecureWorks' On-Demand Security Information and Event Management (SIEM) platform, the SecureWorks Counter Threat UnitSM and three fully synchronous Security Operations Centers (SOCs) staffed with SANS GIAC certified analysts working 24x7 to safeguard client systems. SecureWorks has won SC Magazine's "Best Managed Security Service" award for 2006, 2007 & 2008, Best Intrusion Prevention 2006 and has been named to the Inc 500 and Deloitte lists of fastest-growing companies. www.secureworks.com.
####