When Comcast customers tried to access the Comcast.net site in May 2008, they were redirected to an unknown web page which displayed a message identifying the hackers as the Kryogeniks gang. At that time about five million people connected to the site each day, according to the United States Department of Justice.

Instead of users getting the normal Comcast.net home page, the message on the page greeted customers with the message as follows:

“KRYOGENIKS Defiant and EBB RoXed COMCAST sHouTz to VIRUS Warlock elul21 coll1er seven”.

Immediately after Comcast was able to address the hack, the registrar came back to say that they did not know how the hackers managed to get the passwords necessary to switch the DNS servers and redirect the site.

The indictment has shed some light on how this hack was accomplished. It has been revealed that one of the defendants, Christopher Allen Lewis, made two phone calls to get the information that he and his friends used to access Comcast’s DNS information.

The filing claims that one of the defendants, Michael Paul Nebel, allegedly logged onto a specific Comcast email account that allowed him to communicate with Comcast’s DNS registrar. Lewis was then able to sign onto Comcast’s account at the registrar and point the Comcast.net site to the page he and the others created.

During the attack, one of the defendants, Lewis, called a Comcast employee at his home and asked if the company’s domains were working properly as the indictment alleges.

Comcast claims it lost US$128,578 during to the attacks.

James Robert Black Jr. is the third defendant named in the indictment. The men are charged with one count each of conspiracy to intentionally damage a protected computer system. The charges have been filed in the US District Court for the Eastern District of Pennsylvania.

If convicted they will face a five-year prison sentence and each be fined $250,000. It is time that hackers face the music. Hopefully the harsh punishment in this case will be a wake-up call to other hackers out there.

10-days worth of information containing 10,000 bank accounts and credit card numbers worth hundreds of thousands of dollars, was discovered by security researchers at the University of California, Santa Barabra. The discovery came about when the security researchers at the University broke into the Torpig botnet, associated with Mebroot or Sinowal.

The Torpig or Sinowal botnet, is one of the more sophisticated networks because it uses malicious software to infect computers in an effort to harvest information such as banking accounts, credit card numbers and email passwords. The researchers from the University were able to monitor more than 180,000 infected or hacked computers by exploiting a weakness within the hackers network that controlled the group of infected computers.

What is Torpig/Sinowal and Mebroot?

Torpig/Sinowal is known to be a botnet that is capable of stealing usernames and passwords from several widely used email clients such as Outlook, Thunderbird and Eudora. In addition to collecting email credentials, Torpig is able to gather passwords from web browsers and infect PC’s through malicious websites via a drive-by download attack method. Torpig/Sinowal is actually installed onto a users system after it is first infected with Mebroot, an older rootkit that first appeared in December 2007. Mebroot is a Trojan known to infect a computer’s Master Boot Record (MBR). The MBR is the first code or data that a system looks for during the boot process to load the operating system. Mebroot also has the capability to download other malicious files or code onto a compromised system.

Hackers, who controlled the botnet or group of compromised computers, were able to gather data for a total of 10 days. After the 10th day they updated the command-and-control instructions. In the allotted amount of time, just 10 days, the hackers were able to gather about 70GB worth of data from the compromised computers. The information consisted of email passwords, Windows passwords, FTP credentials, financial data and credit card numbers.

In figure 1 below, the Torpig botnet was discovered to have gained millions of data items.

Figure. 1 [image source: blogs.zdnet.com]

How is a Botnet like Torpig/Sinowal disrupted?

Security researchers are able to figure out the different algorithms of botnets such as Torpig. They are able to predict which domains the malware will connect too and pre-register them to interrupt the botnet’s impending actions. This process is similar to that used by the ad-hoc group that attempted to put an end to the Conficker worm infection. Conficker generated up to 50,000 domains names a day, similar to the Torpig/Sinowal Botnet.

After this discovery, it was estimated that Torpig’s criminal network profited between $83,000 to an astonishing $8.3 million in just a 10-day time frame.