Police arrest Mariposa botnet masters, 12M+ hosts compromised

Police arrest Mariposa botnet masters, 12M+ hosts compromised

Summary: Spanish Ministry of Interior arrests 3 botnet masters operating a 12M+ infected hosts botnet that managed to steal sensitive data from 800,000 users across 190 countries, some of which include Fortune 1000 companies and 40 major banks.

SHARE:
66

According to a statement published by the Spanish Ministry of Interior, the botnet masters behind a 12M+ infected hosts botnet dubbed Mariposa, were arrested in a cooperative effort between law enforcement, security vendors and the academic community.

Following the arrest of one of the botnet masters, law enforcement officers seized sensitive data belonging to 800,000 users across 190 countries, and found evidence of infected hosts located within the networks of 500 of the US Fortune 1,000 companies and more than 40 major banks.

Just how sophisticated were the botnet masters behind Mariposa? You'll be surprised to find out.

  • On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN. Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.

The initial reports describe the group as not so technically sophisticated "normal people" making a lot of money through cybercrime. A logical question emerges - how is it possible that a group of "normal people" can build such a massive botnet? By outsourcing.

The name Mariposa actually means butterfly, which is the original name of a commercially distributed DIY malware kit, sold online for 800/1000 EUR, unless of course the arrested botnet masters weren't using a pirated version, which is ironically, a common practice within the cybercrime ecosystem these days. What's particularly interesting about the malware was the fact that it was using its own UDP-based protocol for communication, which according to the original author was developed with stealthiness in mind since UDP connections are rarely logged.

Moreover, the bot has typical for modern malware releases anti-debugging features, as well as built-in DDoS functionality relying on TCP and UDP flood tactics. The three main propagation vectors include MSN, removable media, and through P2P, targeting the following networks - Ares, Bearshare, Imesh, Shareaza, Kazaa, Dcplusplus, Emule, Emuleplus, Limewire.

Just like the majority of commercial DIY malware releases, this one also includes a disclaimer attempting to position it as a "tool for educational purposes only", with the DDoS option itself described as a tool for "stress testing" your own infrastructure. Also, despite the initial claims that the "mastermind of 'botnet' scam remains a mystery", commercial releases by the original coder of the bot have been circulating in the underground marketplace since 2007. With the recent bust of his customers, he'll be definitely keeping a low profile for a while.

The Mariposa botnet is the tip of iceberg in respect to DIY botnets (Research: Small DIY botnets prevalent in enterprise networks; Inside the botnets that never make the news - A Gallery) aggregated using commercially, or freely available malware kits.

What this incident proves is that not only is cybercrime becoming easier to outsource in 2010, but also, that even inexperienced people can quickly gain access to capabilities once reserved for sophisticated attackers.

Topics: Malware, Networking, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

66 comments
Log in or register to join the discussion
  • This story is already old, but...

    thanks for the illustrations, they make it more interesting!
    JCitizen
  • How to identify the targets?

    Have you found any test to identify the infected
    computers?
    Jevans47
  • This site is relative bot spam free.

    I don't see these spam posts to often so I'd say ZDNet is doing a pretty good job. Now if we could only get rid of the Redmond bots. ;-) J/K
    storm14k
    • Now if we could only get rid of the Redmond bots. ;)

      Hear! Hear!

      lol... :D
      Wintel_BSOD
      • Here's at least one example. (nt)

        .
        Lester Young
    • Except for that produced by the ABMbots

      Anybody we know?
      Lester Young
  • What is more baffling, however...

    ... is that Spammers seem to think that if they can just manage to bypass all the layers of defenses set up to stop their unending stream of sewage, the recipients will throw their hands up with glee and scream "Hallelujah, I am so glad this ad for counterfeit clothing got through to me, because I've always wanted fake-branded clothing!!!"

    And yes, I know that if they keep doing it, it must be because someone is stupid enough to do business with a Spammer.

    They've destroyed usenet, made email a pain in the ass, and are now working on message boards and social networking sites.

    They're all scum, and if they all died tonight I wouldn't shed a tear.
    Hallowed are the Ori
    • Scum, scum, scum, scum...

      Oh how I relish the days of usenet and spam free email.. and right.. their wouldn't be spam if there wasn't gullible jacka$$es who were buying this crap.. and BTW.. Who wears Ed Hardy? Ed Hardy is for douchebags!

      Funny story.. I met a programmer a couple of days ago at a coffee shop. When i asked what kind of apps he writes, he told me he writes email harvesting apps. I instantly had this visual of shoving my fist down his throat and pulling his heart out through his esophagus. Instead, I "accidentally" spilled my coffee on him!
      wasabitobiko
    • Thats What I'm Saying

      But, what is going on? People REALLY shop this way?
      I guess these are the same people who believe they really had a South African relative leave them several godszillion dollars. A South AFrican relative they never knew about, at that. And I guess the fact it's sent to "undisclosed recipients" isn't enough a clue that being the "last known relative" is bull. lol.
      LegendsOfBatman
      • I assume it's 1 in a million

        If these guys reach 1 person in a million perhaps they actually can make money that way. It's hard to believe people are that stupid, but remember IQ's. If the average is 100, and we're all above average here, that means there are a lot of dimwits out there.

        The sad thing is the number of banks and real businesses that have infected computers. Their executives should be held accountable to their shareholders. If they have a virus infection it should be reported with their quarterly results. It's not always IT that's to blame, since it's the executives that make the policies and hold back IT sometimes.
        SMparky
      • Barnum's Principle

        There's a sucker born every minute. Simple as that.
        AndyPagin
        • This way to the egress !!

          Re: Barnum.
          gjl229@...
  • Interesting.

    Could you please clarify which platform(s) this easy-enough-for-the-average-joe-blow-to-use backdoor affects?
    AzuMao
    • Let me guess..

      Another overzealous Linux user?.. Of course their attacking MS crap but you do realize that if Linux or MacOS held enough share of the market, someone would find a way to exploit those OS's as well..

      And for the record.. I use Linux on my home server and would use on all my machines if it weren't such PITA to set up..

      One GUI installer for all Linux platforms and Linux <i>could</i> gain significant market share.
      wasabitobiko
      • Asking an open ended question is zealotry? I'm sorry then. Forget I asked.

        [b] [/b]
        AzuMao
      • The Old Moronic Marketshare argument again

        microsoft is not hacked because of its market share its hacked because its weak.

        Look at Apache, dominant market share, relativly few hacks compared to IIS, which has less market share.
        thedavidmckenzie
        • Show us the data.

          You can't substantiate that and you know it.
          Lester Young
        • O Rly?

          I guess you've never checked zone-h.com. Look at the archives of hacked sites. It is generally accepted that IIS runs on about 25% of servers, while Apache runs on about 50%. Yet, there are a bit less Windows servers compromised than the ratio would indicate.

          Why is it that Linux sites are compromised more than twice as often then, according to the site statistics?
          PlayFair
          • Thanks

            That's worth a bookmark.
            Lester Young
          • Where on zone-h.con does it say..

            ..how many % of servers were hacked due to a vulnerable in IIS vs how many % were hacked due to a vulnerable in Apache?

            All I see are countless pages of "site X was visibly defaced", "site Y was visibly defaced", etc.

            It doesn't seem to say anywhere on that site how many were noticeably defaced per webserver. It also doesn't seem to say how the noticeable defacement occurred (was it a vulnerability in the OS? In the webserver? In a scripting language? In some unrelated program the owner was running? A weak password being guessed? A weak admin giving out the password???), and the only thing it lists anywhere on the whole website are noticeable defacements. Meaning when some script kiddie replaces the front page with "HAHAHA PWNT", not when someone hacks into the server and steals all the data on it or anything like that.

            Completely useless.
            AzuMao