Breaking the butterfly botnet
- Published
The last 12 months have seen significant success in combating one of the main forms of cybercrime - botnets.
These networks of hijacked home computers have become the basic tool for many cyber thieves. Maintaining them, finding new victims and using them has become a significant part of the net's criminal economy.
The vast majority of spam is sent out via the computers on botnets; they are used to stage attacks on websites and the machines forming them are harvested for saleable information such as credit card numbers and game logins.
Jobs for the boys
Shutting down the Mariposa, or butterfly, botnet was one of the bigger successes. It got its name because it was built using the butterfly bot kit.
Mariposa was made up of about 12.7 million computers. It was such a problem that security companies and law enforcement agencies formed a Mariposa Working Group to pool intelligence about it.
Months of co-operation resulted in the arrest in December 2009 of the three people alleged to be running the entire network.
Luis Corrons, a senior researcher at Panda Security, played a big part investigating Mariposa.
"Our main goal was to shut down the botnet and of course we wanted to take them down and find out who they were," he said. "In most cases it's impossible."
Finding out was only possible when one of Mariposa's controllers accidentally revealed the net address of his home computer.
"In this case we were really lucky," said Mr Corrons. "When I found the IP address imagine my face when I realised it was in Spain."
Not only that but one of the men behind the botnet lived a few kilometers from the Bilbao lab where Mr Corrons worked.
He assumed that the arrest and closure of Mariposa would mark the end of his involvement of the investigation.
In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.
One asked if he was Luis Corrons. He said yes while wondering who they were.
They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."
"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."
Not so, though the truth turned out to be even stranger.
Mr Corrons took the pair to a meeting room and asked them what they wanted.
"I still could not believe it," he said. "I thought it was kind of a joke."
The two men complained that the shutdown of Mariposa had robbed them of their livelihood. They had no income or job.
So, they said, they would like to come to work at Panda Security.
"I did not want, at that moment, to say no," said Mr Corrons.
He told them that being behind the mariposa botnet is not something that would work in their favour. Despite this advice they insisted on handing over their very brief CVs and left.
"I thought that was going to be all of it," he said.
Skill set
It wasn't. The pair began following Mr Corrons on Twitter and Netkairo started adding comments to his blog.
Soon after, Netkairo got in touch again requesting a meeting to find out about whether Panda would be employing them.
Mr Corrons agreed and took a colleague along when Netkairo turned up.
They told him that neither Panda, nor any other security company, would hire anyone that had been involved with criminal activity.
"But," said Netkairo, "we've still not been charged and nobody knows we were involved with it."
Spanish police are still weighing the evidence against the Mariposa controllers as running a botnet is not a crime in Spain.
Mr Corrons then pointed out that the two men had negligible technical skills that would not recommend them to any computer company.
"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.
"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program.
"In the same way, I don't know how to program Word, but I can write documents with it," he said.
Netkairo left disappointed and Mr Corrons wondered if that would be the end of it.
"No-one has ever visited me like that before, not me or anyone else in the lab," he said.
The whole episode, said Mr Corrons, served to underline how cyber crime was changing in that people with almost no technical skill could end up making a good living running one of the biggest botnets ever.
"The ones that are skilled develop the trojans and bots," said Mr Corrons. "But they are not the ones that run the networks.
"There are other criminals that do that," he said. "In some cases, like this, they are stupid and in some not."
- Published31 May 2010
- Published21 May 2010
- Published17 May 2010