Posted on 03/03/2010 12:55:20 PM PST by Ernest_at_the_Beach
Analysis More details have emerged about a cybercrime investigation that led to the takedown of a botnet containing 12m zombie PCs and the arrest of three alleged kingpins who built and ran it.
As previously reported, the Mariposa botnet was principally geared towards stealing online login credentials for banks, email services and the like from compromised Windows PCs. The malware infected an estimated 12.7 million computers in more than 190 countries.
The botnet was shut down on 23 December 2009 following months of collaboration between security firms Panda Security and Defence Intelligence in co-operation with the FBI and Spain's Guardia Civil.
Half the roster of Fortune 1000 companies harboured machines infected by Mariposa at one time or another, according to Christopher Davis, chief exec at Canada-based Defence Intelligence, who first discovered the Mariposa botnet back in May 2009. Defence Intelligence teamed up with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice.
The Mariposa Working Group infiltrated the command-and-control structure of Mariposa to monitor the communication channels that relayed information from compromised systems back to the hackers who run the botnet. Analysis of the command system laid the groundwork for the December 2009 shutdown of the botnet, as well as shedding light on how the malware operated and provided a snapshot of the current state of the underground economy.
Mariposa (Spanish for butterfly) bonnet malware spread via P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, exposed machines would have various strains of malware .....
fyi
***********************EXCERPT************************
Posted on 03/3/10 by Luis Corrons
In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed Mariposa. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.
Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
Once all the information had been compiled, the primary aim was to wrest control of the network from the cyber-criminals and identify them. Having located the Command & Control (C&C) servers from which commands were sent to the network, we were able to see the types of activities the botnet was being used for. These mainly involved rental of parts of the botnet to other criminals, theft of confidential credentials from infected computers, changes on the results shown in search engines (such as Google, etc.), and displaying pop-up ads.
The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.
Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.
On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gangs leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.
Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. jonyloleante, and J.B.R., 25, a.k.a. ostiator. Both of them were arrested on February 24, 2010.
Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries. Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections: It would be easier for me to provide a list of the Fortune 1000 companies that werent compromised, rather than the long list of those who were.
Data stolen includes bank account details, credit card numbers, user names, passwords, etc. The digital material seized during the arrest of Netkairo, members of the DDP Team, included stolen data belonging to more than 800,000 users.
The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars.
Analysis of Netkairos hard disks by the police is revealing a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable to antiviruses, anonymous VPN connections to administer the botnet, etc.
There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.
Among other activities, Panda has been contacting other IT security companies to provide access to samples of the bots so that we can all detect them. As such, if you want to know if you are infected with the bot, just scan your computer with a reliable and up-to-date antivirus solution.
**************************************
Video at the website
what’ dya they’ll do about the BotNet on Capitol Hill.....
************************************EXCERPT******************************
Posted by kdawson on Wednesday March 03, @08:13AM
from the sting-like-a-butterfly dept.
AP is claiming that the botnet included systems in roughly half of the Fortune 1000 companies, scattered over 190 countries. Interesting details: none of the three principals has a prior criminal record. Although apparently hardworking, they are not uber-hackers, but rather had connections to the Spanish mafia, which apparently helped to equip them.
At the time of arrest, they were not showing signs of their significant new income level.
From the article: 'Chris Davis, CEO of Ottawa-based Defence Intelligence, said he noticed the infections when they appeared on networks of some of his firm's clients, including pharmaceutical companies and banks. It wasn't until several months later that he realized the infections were part of something much bigger.
After seeing that some of the servers used to control computers in the botnet were located in Spain, Davis and researchers from the Georgia Tech Information Security Center joined with software firm Panda Security, which is headquartered in Bilbao, Spain.
The investigators caught a few lucky breaks. For one, the suspects used Internet services that wound up cooperating with investigators. That isn't always the case.'"
Mariposa is also a Spanish-language term in Mexico for a Maricón. Wonder if this has some significance?
They seem to bypass the internet.
But, because his screen name was "Netkairo," I think we can make an educated guess as to his nationalist and religion. And 12 million infected machines controlled by this freak.
"Además se está investigando la participación de un cuarto miembro del grupo, identificado como fénix, que podría ser de nacionalidad venezolana...
They are investigating the participation of a fourth member of the group, identified as Fenix, who could be of Venezuelan nationality.
Mariposa botnet shut down in Spain in major cyber-swoop
*******************************EXCERPT*******************************
The brains behind what experts believe is the worlds biggest computer hacking scam were arrested by Spanish police after making a basic mistake one forgot to disguise their computer IP address.
The hackers had infected more than 13 million PCs with a virus that stole personal information and credit card numbers.
Spanish police working with the FBI and other police forces arrested the three men suspected of running the Mariposa botnet named after the Spanish word for butterfly after one made the mistake.
***********************************snip***************************************
Mariposa initially spread by exploiting a weakness in the defences of Microsofts web browser, Internet Explorer, used by over 70 per cent of people surfing the net. The virus also spread by contaminating USB memory sticks.
**************************************snip**********************************
This piece of information should probably have been kept quiet.
Not that Firefox cannot be compromised, but for anything more than light use of the Web I find Firefox and other browser much better than IE8 in terms of power to expand capabilities. Thank God.
Favorite extensions:
ColorfulTabs 3.9.4 The most beautiful yet the simplest add-on that makes a strong colorful appeal. Colors every tab in a different color and makes them easy to distinguish while beautifying the overall appearance of the interface https://addons.mozilla.org/en-US/firefox/addon/1368
PitchDark theme for Fx 3.5.0 https://addons.mozilla.org/en-US/firefox/addon/1529
Converter Contextual unit, timezone, and currency converter on any web site; custom conversions for offline text also supported. https://addons.mozilla.org/en-US/firefox/addon/2286
Tab Mix Plus 0.3.8.1 https://addons.mozilla.org/en-US/firefox/addon/1122
Savewithurl http://nic-nac-project.de/~kaosmos/savewithurl-en.html
Read It Later Read It Later allows you to save pages of interest to read later. I https://addons.mozilla.org/en-US/firefox/addon/7661
Menu Editor Customize application menus: Rearrange or remove menuitems from the main context menu (right-click menu) and main menubar (File Edit View etc.) https://addons.mozilla.org/en-US/firefox/addon/710
autoplay Disable the autoplay of the embedded music and movie. https://addons.mozilla.org/en-US/firefox/addon/1765
IE View Lets you load pages in IE with a single right-click, or mark certain sites to *always* load in IE. https://addons.mozilla.org/en-US/firefox/addon/35
Googlebar The original (though unofficial) Google toolbar for Firefox, with an emphasis on easy access to many types of specialized searches. https://addons.mozilla.org/en-US/firefox/addon/33
Copy all URLs copies and pastes all urls of open tabs inclusive history in structured and well defined form to and from clipboard. https://addons.mozilla.org/en-US/firefox/addon/934
Tab URL Copier 1.1.9 Copies the URLs of all open tabs. Puts ‘Copy Tab URLs’ item in right click menu of tabs and Edit main menu. https://addons.mozilla.org/en-US/firefox/addon/2069
FEBE quickly and easily backup your Firefox extensions. In fact, it goes beyond just backing up — It will actually rebuild your extensions individually into installable .xpi https://addons.mozilla.org/en-US/firefox/addon/2109
CLEO (Compact Library Extension Organizer) is a Firefox extension that works with FEBE* to package any number of extensions/themes into a single, installable .xpi file. https://addons.mozilla.org/en-US/firefox/addon/2942
UnMHT UnMHT allows you to view MHT (MHTML) web archive format files, and save complete web pages, including text and graphics, into a single MHT file. https://addons.mozilla.org/en-US/firefox/addon/8051
Online Translator Toolbar by Alex K https://addons.mozilla.org/en-US/firefox/addon/8342
Word Count Plus https://addons.mozilla.org/en-US/firefox/addon/4718
Gspace 0.5.991 https://addons.mozilla.org/en-US/firefox/addon/1593
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.