Researchers at the University of California, Santa Barbara, say they seized control of the Torpig botnet for 10 days earlier in 2009 and uncovered 70GB worth of financial data, from credit card numbers to bank account credentials. Torpig, also known as Mebroot and Sinowal, has been called the stealthiest rootkit in the wild by security vendor Prevx.

The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, according to the researchers’ 13-page paper. Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70G bytes of data were collected from hacked computers.

Torpig has been a hot subject for researchers for some time: RSA last October revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet’s malware “may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters,” researchers say.

With the way that these systems work, Usenet, nor its newsgroups were either a source or documented for gaining or exchanging any information on these activities.

Over these ten days Torpig sent large volumes of data to the researchers, including details of 8310 accounts at 410 different financial institutions. In first place was PayPal, with 1770 accounts, followed by Poste Italiane with 765, Capital One with 314 and E*Trade with 304. There were also 1,700 sets of credit card details, mostly from the USA. In total the bots transferred 70 GB of data, which also included access details for many hundreds of thousands of email, FTP and other online accounts such as Google, Facebook and MySpace. In collaboration with the authorities, the researchers later used the collected data to inform the victims.

The origin of Torpig/Sinowal and who controls it remain the subject of speculation. The trojan is thought to have originally been operated by Russian criminals with connections to the Russian Business Network (RBN). However, the RBN no longer appears to have any major involvement.

The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose “easily guessable” passwords. ” This is evidence that the malware problem is fundamentally a cultural problem,” reads the report. “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer.”

With all of these clusters being affected, Usenet newsgroups are unscathed by the hacks.