I am responsible for the oversight of the LAN at a college campus. Recently we started getting blacklisted by CBL because someone on our LAN is infected with Torpig (AKA Anserin). The suggestion from CBL includes monitoring connections to an IP address range. However, we don't see this traffic going out. It looks like this only happens to us once in a while (it has been a month since the last incident). Is there a way for me to scan machines to detect the presence of Torpig? I can't seem to find any tools that do this reliably. I would even be willing to scan for specific files, registry entries, etc.
Here is the CBL message we get:
This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.20.214.121, with contents unique to Torpig C&C command protocols.
Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.
Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).
With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely – even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.
The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 91.20.214.121, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections to the range 91.19.0.0/16 and 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-07-21 12:42:02 (GMT – this timestamp is believed accurate to within one second).
Best Answer
Most malware discovery advice is focused on getting users to run security checks on their computers...you don't mention your exact circumstances, but it sounds like you're running a school network of some kind? Which of course adds a wonderful layer of head-slapping to address the issue as it will cause all sorts of added frustration.
So the first approach to try is education of users. Posters, announcements, etc. Of course most users will probably ignore this, but it can raise awareness. Seeing as Torpig apparently disables AV software, make users aware of the effects of this malware (stealing bank information) and give links to online scanners and sponsor handing out burned discs of bootable malware detection software, or sponsor campus virus-checking events with IT to go to dorms and scan or bring laptops to a location for free malware checking. With appropriate waivers for responsibility of the effects of wiping malware off, of course.
Next I'd investigate the routers. Decent routers should have the ability to report network traffic via SNMP, and you can check them for unusual traffic patterns. You should be able to tell when there are unusual spikes in traffic or check for anomalies, and some software may be able to alert you to unusual activity. Some bosses may see this as a waste of time, checking over reports and status of equipment that seems to be working fine. In my opinion it is never a waste to be familiar with how things run; sometimes you know your car is going to have issues because something doesn't "feel right" or "sound quite right," the same goes with your network.
Do you proxy your traffic? What are you using for proxy? We had a FreeBSD Squid box for awhile that caught malware infection on a user's computer because I noticed something odd in the ARP tables originating from that user's workstation; his malware was broadcasting all sorts of IP's trying to hit other targets within our own network and it was showing up in my status checks on the proxy server health.
Torpig apparently uses HTTP commands to connect to control points. The proxy may help in that as well, if it's logging activity. If you can find some of the IP's that torpig connects to, you may be able to grep your logs for connections from XYZ machine to lock it down really quickly. Proxies that filter should also be able to automatically block the traffic from reaching the C&C servers as well.
Reading an analysis of the bot may help give you some ideas. See http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf for a study on the malware's behavior.
Another thing to try; email other universities that have this issue and ask them what they're doing to detect the traffic. See an example of someone advertising that they're analyzing student traffic and see if you can contact their IT people; they'll most likely be willing to share hints. http://cnc.ucr.edu/security/announcements/2010_03_04_mebroot.html
Honeypots...I wouldn't be against putting this in your network just because it sounds like you have students and computers you can't control. Stick a few honeypots on the network, see what hits it gets. I don't know if torpig will be detected with it, but you'll probably find it useful to have for other malware; stick SNORT or other IDS on it and check up on it frequently (and email you alerts).
The last thing you might consider, but this is entirely dependent on your situation, is running something like SAINT or Nessus on your network to check machines for vulnerabilities. This could be a big drain on your network resources, however, and some people probably won't appreciate their machines being scanned and you may have issues if this isn't spelled out in policy. Also it depends on the size of your network.
There are tools that can keep you apprised of what's on your network such as spice network's tool and LanSweeper.
Other than that all I can think of off the top of my head is to run a full audit of all servers that you DO have some control over on the network, run the vulnerability framework tools against them to audit for possible security issues, and tighten your border routers to restrict all outgoing ports that aren't necessary for users to have outgoing traffic from so you can restrict activity from malware on unusual ports. At a minimum you might want a machine or appliance that monitors for unusual activity from odd ports and have it sent alerts for you to follow up on and contact other IT departments in other schools similar to yours to see how they address this issue.