***********************EXCERPT************************
Posted on 03/3/10 by Luis Corrons
In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.
Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
Once all the information had been compiled, the primary aim was to wrest control of the network from the cyber-criminals and identify them. Having located the Command & Control (C&C) servers from which commands were sent to the network, we were able to see the types of activities the botnet was being used for. These mainly involved rental of parts of the botnet to other criminals, theft of confidential credentials from infected computers, changes on the results shown in search engines (such as Google, etc.), and displaying pop-up ads.
The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.
Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.
On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.
Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010.
Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries. Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”
Data stolen includes bank account details, credit card numbers, user names, passwords, etc. The digital material seized during the arrest of Netkairo, members of the DDP Team, included stolen data belonging to more than 800,000 users.
The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars.
Analysis of Netkairo’s hard disks by the police is revealing a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable to antiviruses, anonymous VPN connections to administer the botnet, etc.
There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.
Among other activities, Panda has been contacting other IT security companies to provide access to samples of the bots so that we can all detect them. As such, if you want to know if you are infected with the bot, just scan your computer with a reliable and up-to-date antivirus solution.
**************************************
Video at the website
************************************EXCERPT******************************
Posted by kdawson on Wednesday March 03, @08:13AM
from the sting-like-a-butterfly dept.
AP is claiming that the botnet included systems in roughly half of the Fortune 1000 companies, scattered over 190 countries. Interesting details: none of the three principals has a prior criminal record. Although apparently hardworking, they are not uber-hackers, but rather had connections to the Spanish mafia, which apparently helped to equip them.
At the time of arrest, they were not showing signs of their significant new income level.
From the article: 'Chris Davis, CEO of Ottawa-based Defence Intelligence, said he noticed the infections when they appeared on networks of some of his firm's clients, including pharmaceutical companies and banks. It wasn't until several months later that he realized the infections were part of something much bigger.
After seeing that some of the servers used to control computers in the botnet were located in Spain, Davis and researchers from the Georgia Tech Information Security Center joined with software firm Panda Security, which is headquartered in Bilbao, Spain.
The investigators caught a few lucky breaks. For one, the suspects used Internet services that wound up cooperating with investigators. That isn't always the case.'"
This piece of information should probably have been kept quiet.