Spain, IT Security Companies Sting Mariposa Botnet
Spanish security forces, in conjunction with IT security
firms Defense Intelligence and Panda Security, announced the arrest of three men
who allegedly ran the Mariposa botnet, which spread malicious programming to
millions of PCs in 190 countries.
"Mariposa" means butterfly in Spanish, but the actual botnet was anything but small and delicate, being one of the largest ever shut down. Targeted data included bank account details, user names and passwords, with enslaved PCs also forced into denial-of-service attacks. The ringleaders also used the botnet to sell pay-per-install toolbars and stolen credentials for online services.
According to Defense
Intelligence, Mariposa managed to compromise more than 11 million unique IPs
between Dec. 23, 2009 and Feb.
9. The botnet spread through a combination of instant messenger programs,
P2P networks and USB keys, with Defense Intelligence observing attempts to
leverage MSN Messenger to spread malicious code.
"Our preliminary analysis indicates that the botmasters did
not have advanced hacking skills," Pedro Bustamante, senior research advisor at
Panda Security, wrote
in a March 3 statement. "This is very alarming because it proves how
sophisticated and effective malware distribution software has become, empowering
relatively unskilled cyber-criminals to inflict major damage and financial
Defense Intelligence claims it had been tracking Mariposa
since May 2009. A Mariposa Working Group of IT security personnel managed to
infiltrate Mariposa's command-and-control structure late in 2009, according to a
Panda Security statement, and then used the information gleaned from analyzing
the botnet's servers to initiate a coordinated shutdown on Dec. 23. Shortly after that shutdown, hackers
launched a retaliatory Denial of Service attack against Defense Intelligence,
which managed to knock a subset of customers for one ISP offline for a brief
Spanish police later arrested the three men suspected of masterminding the botnet. One of those botmasters worked during the noms de guerre "Netkairo" and "hamlet1917," and partnered with two other individuals operating under the handles "Ostiator" and "Johnyloleante."
"Mariposa's the biggest ever to be shut down, but this is
only the tip of the iceberg," Mark Rasch, former head of the Justice
Department's computer crimes unit, is quoted by Reuters
in a March 3 article. "These things come up constantly."
IT companies and local governments have been moving recently to shut down botnets, which have an ever-increasing capability to compromise the personal information of millions of people. On Feb. 22, a federal judge in Virginia responded to a complaint by Microsoft and ordered the shutdown of 277 Internet domains associated with Waledac, a botnet supposedly responsible for infecting hundreds of thousands of computers worldwide, as well as 651 million spam emails that clogged Hotmail inboxes between December 3-21, 2009.