How UCSB Researchers Hijacked A BotNet

University of California Santa Barbara researchers reverse engineered bot software used by Torpig and discovered a weakness that let them take hijack the botnet .

The fundamental weakness was in the way the bot tried to elude shutdown. A script in the bot software would automatically generate new domain names over a period of time and those domains would be used by the bots to communicate with command and control (C&C) centers. So basically every so often the bot software would stop using its current C&C domains and point itself at new ones.

But, the people running the botnet did not preregister all of the domain names, which meant anybody could do that, at which point whoever controls the domains gains direct command and control over all bots that updated themselves to point at those domains.

As result of their research, the team was able to gather data over a considerable period of time to discover what types of information was being stolen from bot systems. As you might suspect, the data included a lot of passwords and all sorts of information that a user might have entered into various HTML forms.

Overall, the team estimated that, best they could tell, the number of bots that communicated with their C&C server was approximately 182,800.

If you're interested in the complete rundown then read their whitepaper, available in PDF format.