Determining which site Torpig planned to check for new instructions proved relatively straightforward, however.

That's because the botnet used a fairly simple algorithm for determining where to look: Torpig took the current date to create a random domain name to check -- and then it hunted for that name among the .com, .net, and .biz top-level domains (define).

The team noted that the botnet's owners had been registering domains only a few weeks in advance, so they got the jump on them by determining which names Torpig would soon check, and purchased those domains at shady, malware-friendly Web hosts.

That approach enabled the team to begin receiving all the data harvested by the Torpig botnet beginning on Jan. 25.

"Once we realized what we had, we contacted the FBI and the Department of Defense," Vigna said.

Their .com command-and-control domains were shut down on Jan. 30, 2009 when a bank complained to the .com registrar -- but that didn't strike the team as a failure.

"That was a good sign," Cova said. "It showed that people were looking for malicious activity."

The study came to a halt on Feb. 4, however, when the botnet controllers distributed a new version of Torpig that changed the algorithm the botnet used to select a domain.

So will the team be able to repeat the experiment? It might be possible -- for now.

"Cova and [fellow researcher] Brett Stone-Gross reverse engineered the [new algorithm] -- they recently changed their domain-determination algorithm by including the first letter of the most common subject on Twitter."

But the approach might not work against every botnet. While hijacking Torpig cost about $20 -- the cost of two domain names -- the team's report (available here) noted that newer malware is designed to raise the cost of buying its command-and-control domains.

For instance, recent variants of Conficker generate lists of up to 50,000 domains per day, so buying all of those domains would cost up to $182.5 million per year, or $500,000 per day.

Hunting botnets also involves more mundane considerations as well. Vigna said that before the team hijacked Torpig, he had warned the university's IT department that there might be some unusual network traffic in the coming weeks.

"They're used to us sending weird traffic out of our lab, but they like to be informed," Vigna said. "We didn't really know what we had or the extent of the information we would collect until we did it."

Article courtesy of