{
	"id": "bfa78f22-f0ed-4d2e-a35f-f3699e97d39d",
	"created_at": "2026-04-06T00:06:06.920679Z",
	"updated_at": "2026-04-10T03:21:40.22918Z",
	"deleted_at": null,
	"sha1_hash": "9f7dd30b96a87434fad7050aa0de6da5fa98da13",
	"title": "Torpig",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71545,
	"plain_text": "Torpig\r\nBy Contributors to Wikimedia projects\r\nPublished: 2007-05-09 · Archived: 2026-04-05 17:37:32 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nTorpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the\r\nMebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data\r\nsuch as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a\r\nnetwork of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology\r\nand scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full\r\naccess to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.\r\nBy November 2008, it was estimated that Torpig had stolen the details of about 500,000 online bank accounts and\r\ncredit and debit cards and was described as \"one of the most advanced pieces of crimeware ever created\".[1]\r\nTorpig reportedly began development in 2005, evolving from that point to more effectively evade detection by the\r\nhost system and antivirus software.[2]\r\nIn early 2009, a team of security researchers from University of California, Santa Barbara took control of the\r\nbotnet for ten days. During that time, they extracted an unprecedented amount (over 70 GB) of stolen data and\r\nredirected 1.2 million IPs on to their private command and control server. The report[3] goes into great detail about\r\nhow the botnet operates. During the UCSB research team's ten-day takeover of the botnet, Torpig was able to\r\nretrieve login information for 8,310 accounts at 410 different institutions, and 1,660 unique credit and debit card\r\nnumbers from victims in the U.S. (49%), Italy (12%), Spain (8%), and 40 other countries, including cards from\r\nVisa (1,056), MasterCard (447), American Express (81), Maestro (36), and Discover (24).[4]\r\nInitially, a great deal of Torpig's spread was attributable to phishing emails that tricked users into installing the\r\nmalicious software. More sophisticated delivery methods developed since that time use malicious banner ads\r\nwhich take advantage of exploits found in outdated of versions of Java, or Adobe Acrobat Reader, Flash Player,\r\nShockwave Player. A type of Drive-by download, this method typically does not require the user to click on the\r\nad, and the download may commence without any visible indications after the malicious ad recognizes the old\r\nsoftware version and redirects the browser to the Torpig download site. To complete its installation into the\r\ninfected computer's Master Boot Record (MBR), the trojan will restart the computer.\r\n[2]\r\nDuring the main stage of the infection, the malware will upload information from the computer twenty minutes at\r\na time, including financial data like credit card numbers and credentials for banking accounts, as well as e-mail\r\naccounts, Windows passwords, FTP credentials, and POP/SMTP accounts.[4]\r\nMebroot\r\nhttps://en.wikipedia.org/wiki/Torpig\r\nPage 1 of 2\n\nDrive-by download\r\nPhishing\r\nMan-in-the-browser\r\nConficker a worm that also uses domain name generation (or domain flux)\r\nTimeline of computer viruses and worms\r\n1. ^ BBC News: Trojan virus steals bank info\r\n2. ^ Jump up to: a\r\n \r\nb\r\n Carnegie Mellon University. \"Torpig\". Archived from the original on 19 May 2015.\r\nRetrieved 25 July 2015.\r\n3. ^ UCSB Torpig report\r\n4. ^ Jump up to: a\r\n \r\nb\r\n Naraine, Ryan (4 May 2009). \"Botnet hijack: Inside the Torpig malware operation\".\r\nZDNet. Archived from the original on 1 August 2015. Retrieved 1 August 2015.\r\nTaking over the Torpig botnet, IEEE Security \u0026 Privacy, Jan/Feb 2011\r\nUCSB Analysis\r\nOne Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts by RSA\r\nFraudAction Research Lab, October 2008\r\nDon't be a victim of Sinowal, the super-Trojan by Woody Leonhard, WindowsSecrets.com, November\r\n2008\r\nAntivirus tools try to remove Sinowal/Mebroot by Woody Leonhard, WindowsSecrets.com, November\r\n2008\r\nTorpig Botnet Hijacked and Dissected covered on Slashdot, May 2009\r\nHow to Steal a Botnet and What Can Happen When You Do by Richard A. Kemmerer, GoogleTechTalks,\r\nSeptember 2009\r\nSource: https://en.wikipedia.org/wiki/Torpig\r\nhttps://en.wikipedia.org/wiki/Torpig\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Torpig"
	],
	"report_names": [
		"Torpig"
	],
	"threat_actors": [],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f7dd30b96a87434fad7050aa0de6da5fa98da13.pdf",
		"text": "https://archive.orkl.eu/9f7dd30b96a87434fad7050aa0de6da5fa98da13.txt",
		"img": "https://archive.orkl.eu/9f7dd30b96a87434fad7050aa0de6da5fa98da13.jpg"
	}
}