* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Threat Advisory/Analysis](https://www.paloaltonetworks.com.au/blog/category/threat-advisoryanalysis/)
* How Palo Alto Network's N...

# How Palo Alto Network's Next-Generation Firewalls Protect Against Torpig Attack

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2010%2F08%2Fhow-palo-alto-network%25e2%2580%2599s-next-generation-firewalls-protect-against-torpig-attack%2F)  
[](https://twitter.com/share?text=How+Palo+Alto+Network%E2%80%99s+Next-Generation+Firewalls+Protect+Against+Torpig+Attack&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2010%2F08%2Fhow-palo-alto-network%25e2%2580%2599s-next-generation-firewalls-protect-against-torpig-attack%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2010%2F08%2Fhow-palo-alto-network%25e2%2580%2599s-next-generation-firewalls-protect-against-torpig-attack%2F&title=How+Palo+Alto+Network%E2%80%99s+Next-Generation+Firewalls+Protect+Against+Torpig+Attack&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2010/08/how-palo-alto-network%e2%80%99s-next-generation-firewalls-protect-against-torpig-attack/&ts=markdown)  
\[\](mailto:?subject=How Palo Alto Network’s Next-Generation Firewalls Protect Against Torpig Attack)  
Link copied  
By [Anna Lough](https://www.paloaltonetworks.com/blog/author/anna-lough/?ts=markdown "Posts by Anna Lough")  
Aug 19, 2010  
6 minutes  
[Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisoryanalysis/?ts=markdown)  
[botnet](https://www.paloaltonetworks.com/blog/tag/botnet/?ts=markdown)

In this blog, I talk about how our next-generation firewalls protect against [botnets](http://en.wikipedia.org/wiki/Botnets) such as Torpig. There are 3 parts to a botnet attack:

**1. User visits a website which starts a chain reaction for torpig-infection**

There are 2 ways in which this can happen:

*a. User is tricked into going to a website that he/she didn't intend to go in first place*

This is also known as a phishing attack. Once the user visits such a website, the website would start downloading exploits to user's computer without user's intervention. Such downloads are also referred to as [drive-by-downloads](http://en.wikipedia.org/wiki/Drive-by_download) in the sense that the user didn't have to explicitly download the exploits; just by the virtue of visiting the website would cause the download to happen.

Such attacks can be usually nipped in the bud by a URL filtering solution that would detect user's traffic going to a pre-categorized malware website. Our next-generation firewalls provide URL filtering solution that can help in detecting such traffic and thereby preventing the attack.

*b. User goes to a popular website that has been recently hacked into*

This happened recently with songlyrics.com. The website was hacked into and the HTML content of the website was modified to include a [malicious \<iframe\>](http://www.guardian.co.uk/technology/2008/apr/03/security.google) that in turn directed the user's browser to go to a malware hosting site. Note that \<iframe\> by itself is not harmful, in fact it is part of standard HTML specification. It's just that some usages of \<iframe\> could be malicious and as such it is important that any signatures protecting against malicious \<iframe\> are written such that they don't generate false positives. Palo Alto Network's next-generation firewalls currently have three such signatures to detect malicious iframes.

[](http://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog15.jpg)  
[![](https://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog15.jpg "blog1")](http://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog15.jpg)

\<above information is available on [support.paloaltonetworks.com](http://support.paloaltonetworks.com/) website under "Threat Database" link\>

**2. The \<iframe\> in the page directs the user machine to go to a malware site and download exploits**

As mentioned earlier, the \<iframe\> would direct user's browser to a malware hosting site, which can once again can "very likely" be caught by the URL filtering solution. I mentioned "very likely" because it depends on how long the malware website has been up; if the website is very recent, it is possible that the URL filtering database has not yet tagged the website as malicious.

In any case, lets assume for now that the URL filtering does not stop the traffic. Now the malware site will start throwing exploits at the user's computer trying to exploit an un-patched or even zero-day vulnerability. Once that vulnerability is found, the malware site would download the actual malware/virus to the computer that will cause the computer to become a "bot".

Our next-generation firewalls can stop such an attack using our vulnerability-based signatures. Here, it is important to distinguish between vulnerability-based signatures versus exploit-based signatures. A single vulnerability-based signature can protect against *all* different attacks that try to take advantage of that vulnerability. Exploit-based signatures, however, protect against only *certain* attack vectors. Clearly, it is desirable to have vulnerability-based signatures as they provide the most comprehensive protection.

At Palo Alto Networks, our threat team spends considerable time in understanding vulnerabilities and creating signatures to protect against the vulnerability itself. In fact, Palo Alto Networks Threat Team has been recognized several times by Microsoft for discovering and reporting Microsoft related vulnerabilities. Palo Alto Networks is the only private company in the top 5 list of companies that have reported vulnerabilities to Microsoft.

Additionally, customers should be mindful of the packet latency when vulnerability protection is turned on. Due to its single-pass architecture, Palo Alto Network's next-generation firewall scans the contents only once, the results of which are used in vulnerability/spyware/virus blocking, file blocking and URL filtering. Particularly our antivirus solution is stream-based versus being file-based. File-based antivirus solutions first download the entire file and *then* run virus checks on the file. This results in increasing packet latency through the device. Stream-based solution does virus checking *while* the file is in transit. Clearly, the latter solution would be preferred from user perspective.

Coming back to exploits, once the user's machine is successfully compromised, the malware website then downloads an executable file (virus) which in case of Torpig causes installation of Mebroot. Most IPSes do not cover virus protection. Palo Alto Network's next-generation firewall, however, provides strong antivirus solution. We receive several thousand virus samples from our partners. Our threat team analyzes the samples, looks for malicious patterns in the files and then subsequently defines virus signatures that detect *several* samples. This helps in reducing virus signature footprint.

Specifically for Torpig, we have over **6400 signatures** to capture torpig-related malicious executable files. These signatures provide coverage against roughly **12,800 malicious samples**(each torpig signature on average covers 2 samples).

**3. The malicious code installed on victim computer sends personal info to Torpig's Command and Control servers**

This is the step that makes money for the hacker (by stealing personal financial information from the victims).

Currently, we provide three signatures to capture such traffic. Once again this is a cat-and-mouse game between hackers coming up with different traffic profiles for connecting to command and control servers and anti-spyware vendors blocking such traffic with unique signatures.

[](http://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog2.jpg)  
[![](https://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog2.jpg "blog2")](http://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog2.jpg)  
[![](https://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog3.jpg "blog3")](http://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2010/08/blog3.jpg)

In the picture above, 2nd signature (12657) corresponds to the DNS traffic that our threat team identified to be corresponding to Torpig DNS requests.

Following is the packet dump for DNS traffic from Torpig: The blue part is IP header; red part is UDP header and the rest is DNS response. As you can see from the packet, one of the name servers (which is actually the authoritative server) is [torpig.sinkhole.org](http://torpig.sinkhole.org/).

0000 00 16 d3 2d 22 b4 00 18 73 d7 08 5d 08 00 45 88 ...-"... s..\]..E.

0010 00 71 00 00 40 00 33 11 0b 93 c0 36 70 1e 0a 01 .q..@.3. ...6p...

0020 01 0c 00 35 46 e4 00 5d 24 13 00 08 80 00 00 01 ...5F..\] $.......

0030 00 00 00 02 00 00 08 79 61 7a 74 69 72 70 61 03 .......y aztirpa.

0040 6e 65 74 00 00 01 00 01 c0 0c 00 02 00 01 00 02 net..... ........

0050 a3 00 00 19 03 6e 73 31 0f 74 6f 72 70 69 67 2d .....ns1 .torpig-

0060 73 69 6e 6b 68 6f 6c 65 03 6f 72 67 00 c0 0c 00 sinkhole .org....

0070 02 00 01 00 02 a3 00 00 06 03 6e 73 32 c0 2e ........ ..ns2..

We created a signature to catch such DNS responses. Now, whenever the signature is triggered in a network, one can be pretty sure that they have torpig-infected systems in their network.

Overall, to effectively block or mitigate such attacks, any threat prevention solution needs to be comprehensive without significant performance degradation. Our next-generation firewalls combine all elements of threat prevention together (URL filtering, Vulnerability-attack protection, Spyware protection, Virus protection) at hardware-accelerated speeds and provide risk mitigation for botnet-related attacks.

External links for Torpig:

[http://en.wikipedia.org/wiki/Torpig](http://en.wikipedia.org/wiki/Torpig)

[http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf](http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf)

*** ** * ** ***

## Related Blogs

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisoryanalysis/?ts=markdown)

[#### CircleCI Incident Highlights Cloud Platform Querying Struggles for Compromised Credentials](https://www.paloaltonetworks.com.au/blog/cloud-security/circleci-platform-query-credentials/)

### [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows](https://www.paloaltonetworks.com.au/blog/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/)

### [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall](https://www.paloaltonetworks.com.au/blog/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/)

### [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns](https://www.paloaltonetworks.com.au/blog/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/)

### [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability](https://www.paloaltonetworks.com.au/blog/2018/01/unit42-iot-malware-evolves-harvest-bots-exploiting-zero-day-home-router-vulnerability/)

### [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### New IoT/Linux Malware Targets DVRs, Forms Botnet](https://www.paloaltonetworks.com.au/blog/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language