Facebook fights botnet as malware authors talk trash

Facebook fights botnet as malware authors talk trash

Summary: Facebook helped to bring down the Lecpetex botnet, but not before the malware's creator left a few messages for the social network's defenders.


Facebook on Tuesday released a detailed account of how it disrupted a botnet dubbed Lecpetex, but the real insight may be the gamesmanship involved with trying to thwart malware.

The company's account highlighted how Facebook spotted Lecpetex, which was later named by the Microsoft Malware Protection Center. With help from the Greek police Facebook aimed to stop infections that would lead to social spam. Lecpetex was built to be resilient and adapt to analysis and anything that would disrupt its mission.

Meanwhile, Lecpetex's authors continually changed code so the botnet could send more than 20 waves of spam between December 2013 and June 2014. The techniques used by the botnet weren't terribly fancy because it's the same social engineering story: Botnet sends attachment, user opens and your computer is infected.

fb botnet

Facebook said it started tinkering because anti-virus software wouldn't work and then deployed tools to extract information from Lecpetex. On July 3, Greek police arrested the Lecpetex authors. The timeline is notable because it highlights how takedowns take time and companies need to continue countermeasures for a while.

Here's the timeline:

  • December 2013 - First automated identification of a spike in messages from Greece
  • April 10-17, 2014 - Coordinated takedown of technical infrastructure including C2's, distribution accounts, testing accounts, monetization accounts
  • April 30, 2014 - Referral to Greek law enforcement
  • May 2014 - Authors leave notes for us on command and control pages and in their malware; authors switch to disposable email sites and Pastebin for command and control
  • May-June 2014 - Facebook adds targeted backend measures to disrupt botnet operations
  • June 2014 - Authors add mass email spreading technique to malware (presumably after spamming via Facebook became more difficult)
  • July 3, 2014 - Greek law enforcement arrests people alleged to be primary authors

Facebook highlighted the botnet authors' comments left for investigators to find:

In May we noticed the command and control servers had started leaving notes for our team such as “Hello people.. :) <!-- Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz..” Around the same time we also noticed that encryption keys used in the malware began to use phrases that appeared to be messages such as “pepeishereagain1” and “IdontLikeLecpetexName.” These changes suggested to us that the authors were feeling the impact of our efforts.

The post provides a lot of technical detail and has the same underlying message: Facebook is serious about security. The biggest takeaway for you is to know the game: Enterprises and crime fighters tout these wins and cooperative efforts to highlight security efforts. The reality is that the wins can be few and far between as the trash talk in between lines of code continues.

Topics: Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Article: "Facebook is serious about security"

    Security and privacy are not orthogonal. Thus, Facebook cannot be serious about security until it becomes serious about privacy. Good luck with that.
    Rabid Howler Monkey
    • Explain

      Explain what you mean by "serious about privacy" for things you publish on a web site and how that has anything to do with security.
      Buster Friendly
      • One could write a book on this topic

        I'll restrict my reply to Facebook's misrepresentation regarding the sharing of its members information, arbitrarily removing preexisting privacy controls and Facebook shadow profiles.

        Facebook allowed advertisers and external application developers access to personally identifiable member information while simultaneously telling its members that it does not share such information with advertisers and external application developers. This got Facebook a 20-year consent order from the U.S. FTC for "unfair and deceptive" practices:


        Next, Facebook's arbitrary removal of privacy controls for members. Facebook removed the ability of members to hide themselves on Facebook's search:


        In this case, some people might not have signed up for Facebook initially or might have been more discriminating with the information that they chose to publish on Facebook, a web site.

        Finally, Facebook shadow profiles:

        "data Facebook has been compiling on its users behind closed doors, without their consent"

        Did you get that? Facebook members did not publish this personal information accumulated in their shadow profiles on Facebook, a web site. The information was published by other Facebook members. Shadow profiles also exist for individuals that do not have a Facebook account. Again, the personal information of non-members is accumulated in their shadow profile on Facebook. This information for non-members was published on Facebook, a web site, by Facebook members. One might be able to flaunt the Facebook TOCs at Facebook members (and this is a stretch, IMO), but this doesn't wash for Facebook non-members.

        Facebook and physical security: Women with either an abusive former-husband or former-boyfriend, as an example, may not want these people to be able to locate them. Since Facebook does not allow handles for member names (as does ZDNet), members must use their real names. Both the introduction (and, especially, Facebook's mismanagement) of shadow profiles and removal of the ability to opt-out of Facebook search decrease the physical security of a subset of its members.

        Facebook and Internet security: Information published on Facebook, especially if one is not careful about the information provided, is often used in targeted attacks on individuals and organizations as well as in advanced persistent threats on organization. Is this user error? In some cases, yes. But not everyone on Facebook understands the linkage of privacy and security. In other cases, no (see removal of preexisting privacy controls and shadow profiles above). Now the miscreants can conduct a search for members on Facebook with, in their case, a fictitious account.
        Rabid Howler Monkey
        • More on targeted attacks

          Facebook, along with other social networking web sites, is used by miscreants to gather information on their intended victims to make social engineering-based attacks more effective.

          "What is a targeted attack?"
          Rabid Howler Monkey
  • hm