Mariposa botnet -12.7 million bots strong - knocked offline
by Steve Ragan - Mar 3 2010, 17:20RSA Conference 2010 – It is considered the largest botnet on record, consisting of 12.7 million hosts comprised of systems in large businesses, universities, government agencies, and in homes of more than 190 countries. Now it’s dead.
The three people believed to be behind it are in custody, and more arrests are expected. In all, the cleanup effort and associated costs due to theft and data loss are expected to climb into the millions of dollars.
While the investigation is still ongoing, the crackdown on the Mariposa botnet is all due to resource sharing and teamwork between Panda Security, Defence Intelligence (a firm in Canada), Guardia Civil (Spanish law enforcement agency), and a single mistake made by one of the masterminds behind the botnet’s operation. The news of the crackdown started to spread earlier this morning and preliminary notes were posted by the Associated Press on Tuesday.
The short story is that the Mariposa Working Group (MWG), comprised of Defence Intelligence, the Georgia Tech Information Security Center, and Panda Security, along with other international security experts and law enforcement agencies, fixed their sights on the massive botnet after its discovery in 2009. It took a while, but the investigation paid off and ended in the closure of the domains controlling the bots, and the arrests of three of the people responsible for operating it. More arrests are expected as the case moves forward.
Christopher Davis, CEO for Defence Intelligence, who first discovered the Mariposa botnet, explains: "It would be easier for me to provide a list of the Fortune 1000 companies that weren't compromised, rather than the long list of those who were."
According to Panda’s Luis Corrons, the object of the botnet was financial.
The main botmaster, nicknamed “Netkairo”, as well as his immediate partners, “Ostiator” and “Johnyloleante”, used the infected systems to harvest financial information. (Spanish authorities have not released their full names.)
The real money came from selling parts of the botnet, installing pay-per-install toolbars, selling stolen credentials for online services, and using the stolen banking credentials and credit cards to make transactions to overseas mules.
Late last year, the MWG started to track the C&C (Command and Control) servers used by Mariposa, and eventually gained control over the entire botnet. “Netkairo”, unhappy with the loss, worked furiously to regain his bots, and at one point launched a retaliatory Denial-of-Service attack on Defence Intelligence, using every single bot, seriously impacting an ISP and leaving universities and various government agencies without Internet access.
During the struggle for control over the botnet with the MWG, “Netkairo” committed a single mistake; he used his home computer to connect to one of the C&C servers. This eventually led Guardia Civil straight to his door. After his arrest, law enforcement seized materials related to the investigation, discovering financial data and sensitive information harvested by the botnet.
According to Panda, the stolen data included bank account details, credit card numbers, user names, passwords, etc., belonging to more than 800,000 users. Further investigations have revealed a “complex network of suppliers offering a range of services”, Panda said.
Such services included server cracking to create more C&C systems, encryption services, anonymous VPN connections, and more.
“There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games,” Corrons adds.
Pedro Bustamante, senior research advisor at Panda Security, noted that the three arrested did not have “advanced hacking skills.”
It’s alarming, he said, because it proves how effective Malware distribution has become, essentially “empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”
Comment on this Story