Euro Cops Catch Suspected Botnet Operators

European law enforcement officials arrested three men believed to be behind the creation and distribution of multiple strands of malware code.

The three men are also suspected of having operated a so-called botnet network built from the PCs that their viruses infected over the Internet.

The British Metropolitan Polices Computer Crime Unit, along with the Finnish National Bureau of Investigation and Finnish Pori Police Department reported that they arrested a 63-year-old man in Suffolk, England along with a 28-year-old man in Scotland and a 19-year-old man in Finland on June 27.

The three men are being charged by local officials for operating a conspiracy to infect computers with malware, and are believed to be at least part of the virus-writing team identified publicly by the name M00P.

“This highly organized group are suspected of writing new computer viruses in order to avoid detection by anti-virus products,” the British Metro Police said in a statement.

“They have been primarily targeting UK businesses since at least 2005, and during this time thousands of computers are known to have been infected across the globe.”

The group won its name with malware researchers and law enforcement officials based on its practice of leaving the word M00P somewhere in the lines of software code used to deliver its attacks.

Researchers said the name has shown up in multiple attacks, many of which were sophisticated and sought to take over the PCs of unsuspecting people who came in contact with the viruses.

According to anti-malware applications specialists Sophos, based in Abingdon, UK, the M00P gang are believed to have written viruses including the W32/Dogbot spyware worm, Troj/Hackarmy-C, Troj/Santabot-A, Troj/Shuckbot-A, W32/Rbot-BF and W32/Tibick-A.

References to M00P are also contained inside the Stinx Trojan horse, company officials said, which was mass-e-mailed to users in 2005 offering the subject line “Photo Approval Needed,” and which sought to take advantage of root kit software formerly distributed by Sony on its music CDs.

The M00P team is considered unique in that most malware writers involved in such organized crimes go to great lengths to disguise their identities, while the arrested men appeared to seek some form of notoriety by including their name in their attacks.

Unlike so-called script kiddies—writers of the Webs earliest attacks who appeared more interested in gaining popularity than making money—most criminals seeking to cash in on their viruses tend to keep as a low a profile as possible, said Ron OBrien, senior security analyst for Sophos.

“Any time that you can find a fingerprint in the code, thats the smoking gun, and we had that in this case,” said OBrien.

/zimages/5/28571.gifStudy: Most technology companies have data losses.Click hereto read more.

“This case definitely involves a combination of someone desperately seeking attention, but who was also engaged in a fairly significant level of criminal activity, which is very unique.”

OBrien said that the details indicate that the M00P group may have started out as a non-criminal enterprise that eventually fell prey to the lure of easy cash.

The ability and willingness of script kiddies to sell out to other criminals or cross the line themselves is particularly troubling, he said.

“Were concerned that this type of activity, while it may seem to have a hint of entertainment value, has probably been responsible for destruction of many, many PCs,” said OBrien.

“So, if theres a lesson its that if you see this type of behavior or get impacted by something like this, call the authorities, there could be some clue hidden in the code that helps them catch the bad guys.”

Sophos believes that the accused cyber-criminals chose the name of their group based on an episode of the animated television show “South Park” on which the programs characters formed a band called “Moop” and debated the ethics of file sharing.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.