How the butterfly botnet was broken

Luis Corrons, technical director for PandaLabs, tells ZDNet UK about the extent of the Mariposa botnet and how it was taken down
Written by Tom Espiner, Contributor

At its height, the Mariposa botnet consisted of about 13 million computers in 190 countries. A joint operation by researchers from Canadian security firm Defence Intelligence and Spain's PandaLabs, in conjunction with the FBI and the Guardia Civil, led to the arrest of three men in Spain earlier this month in connection with the Mariposa botnet.

The men, who had no specific computer training, are believed to have played a part in operating the command-and-control servers for the botnet, according to PandaLabs' technical director Luis Corrons, who spoke to ZDNet UK about 'Mariposa' — which means butterfly in Spanish — following the arrest of the three men.

Q: When did security researchers start tracking the botnet?
A: It started in May 2008. Defence Intelligence noticed companies were getting infected and found a new botnet, which was Mariposa. They started an investigation and found links to Spain. They found that some of the command-and-control servers were located in Spain. Defence Intelligence was monitoring bots that were infected and were trying to connect. Different domains seemed to be located in Spain, so Defence Intelligence contacted us.

Together, we founded a Mariposa working group and started talking to CDmon, the service provider for the infected Spanish domains. We approached them, and they said, "We are hosting what?" Once they understood their system was being used to host command-and-control servers, they were helpful. We wanted to access information [about the servers], but the service provider could not give us that information without intervention by the police.

When did the police become involved?
We gathered more information about the command-and-control servers and discovered some were in Spain and some were in the US. We decided to talk to the Guardia Civil in Spain, and Defence Intelligence talked to the FBI.

What was the extent of the botnet?
We found millions of computers spread around the world. The top country was India, but it was everywhere — [for example], in every country in Africa.

What was the next move?
We shut down the botnet. We had information that just before Christmas the bad guys would find it harder to react because they would be with their families, so we decided to change the DNS resolution on 23 December, 1700 Spanish time.

How did changing the resolution shut down the botnet?
We changed the DNS records so every computer that belonged to the botnet reported not to the command-and-control server, but to a special place that we specified. The bots were connecting to different servers, so we changed the DNS resolution of those domains, so the bots couldn't reach real servers.

That sounds like DNS cache poisoning.
It was something like DNS cache poisoning. We called the police and had a legal order to proceed in a proper legal way with the ISPs. We changed the records in the DNS servers, with the help of the police. That was done by the FBI and the Guardia Civil.

We didn't know who was behind the botnet, because every connection to the command-and-control servers used a virtual private network (VPN). The service was from Swedish company Relakks. We weren't optimistic that we would be able to find out who they were.

How were the people who are allegedly responsible for the botnet found?
When they tried to regain control of the botnet on 23 December and connected to the command-and-control servers, one of the guys forgot to VPN in, and so we found out his IP address. That's how we knew where he was. They actually managed to regain a small part of the botnet and tried to launch a DDoS [distributed denial-of-service] attack against Defence Intelligence.

Once we had the IP address, we turned the information over to the Guardia Civil, as the IP address was in Spain. The Guardia Civil took the information and other evidence to go and take the guy from his home. They arrested him on 12 February at his house in Balmaseda, near Bilbao. At that moment he was the only person we knew about. Police forensic analysis of his computers found another two guys who belonged to the same group. They found the guys who were working with him — one near him in Galicea, and the other in Murcia.

Are there any more people in the group?
Right now, the police are still doing a forensic analysis. They think that other people are involved. They have some leads on another guy, who is not from Spain.

News reports have said that the arrested men didn't have much IT experience.
They really didn't. They bought the software to infect computers for a few hundred dollars. They knew about computers, but they weren't super-freaks, breaking into websites. None of them had criminal records. They were not rich; they did not have big houses or expensive cars, but they were not working. They got all their money from the botnet.

Did the police find anything else?
On the computer of the first guy, they found personal information, 800,000 email addresses, usernames, passwords, social networking credentials, and online banking details they had stolen.

How easy is it to take down a botnet?
This is a fight we are losing, and one I'm not sure we are going to be able to win. The internet is huge, and it's easy for criminals to hide. Mariposa was a few guys with no special knowledge, yet they built a botnet. There are a few 1,000 botnets running. In this case, we were lucky to find one of the guys. He made a mistake.

Microsoft, or whoever, can take down a botnet, but not the guys behind it. The next day they will just build another. It's difficult to win the battle because it's difficult to find the guys. If you are an internet criminal, most likely people will never find out who you are. I'm not very optimistic about the fight.

I belong to a group of law enforcement and security professionals, and it takes a huge effort to shut down a botnet. Imagine the [fourth member of the Mariposa gang] is in France, and we are in Spain. If you want information about this guy, it could take months. Now imagine he is in China or Russia, where sometimes there is no agreement to share data.

What is the best way forward?
Governments need to recognise this is a really serious problem. You can see with intellectual property, governments are really passionate about controlling traffic, and cutting the connection of someone downloading a Hollywood movie. Not that I agree with [unauthorised downloading of copyrighted material], but if governments took five percent of the effort and focused on real computer crimes, that would be great. Criminals are making millions from online fraud.

Editorial standards