Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 3rd, 2010

Law Enforcement Agencies In Spain And USA Dismantled One Of The Largest Botnets In History

International cooperation between law enforcement agencies in Spain and the U.S., as well as several security companies, led to the arrest of three Spanish citizens who controlled one of the largest botnets in history. Dubbed Mariposa, the army of zombie computers connected from more than 12 million unique IP addresses.

The Mariposa (Butterfly in English) botnet was identified in May 2009 by researchers from a Canadian information security company named Defence Intelligence. The malware behind the botnet is an information stealing computer trojan, which has seen more than 200 variants to date.

In order to investigate and track the threat more efficiently, security experts from various organizations, including Defence Intelligence, Georgia Tech Information Security Center and Spanish antivirus vendor Panda Security have established the Mariposa Working Group (MWG). The group closely cooperated with the FBI and their Spanish counterpart, La Guardia Civil (the Civil Guard).

The experts managed to hijack the botnet in December, but the cyber-criminals, who called themselves the Días de Pesadilla Team (the Nightmare Days Team), regained control and retaliated with crippling Distributed Denial of Service (DDoS) attacks. A second, more successful takeover allowed researchers to count the number of IP addresses trying to access the Command and Control (C&C) servers and get an idea of the threat’s true scope.

“We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history,” notes Luis Corrons, technical director of PandaLabs, Panda Security’s malware intelligence laboratory. It was also discovered that the gang leased parts of the botnet to other cyber-crooks or sold DDoS services.

In addition, on the infected computers, the trojan displayed rogue ads while surfing the Web and altered Google search results. It also stole personal and financial information, such as online banking credentials and other usernames and passwords.

The authorities were able to identify F. C. R., a 31-year-old bot herder known online as “Netkairo,” after he slipped and accidentally revealed his home IP address. He was arrested by the Spanish Civil Guard in his home town of Balmaseda last month.

Data collected from Netkairo’s computer led to the capturing of two other accomplices, identified only as J. P. R., 30, a.k.a. “jonyloleante”, and J. B. R., 25, a.k.a. “ostiator.” A fourth co-conspirator is believed to be located in Venezuela.

Stolen information belonging to 800,000 users was also found, as well as data belonging to companies, government institutions and educational organizations in 190 countries. “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were,” commented Defence Intelligence’s CEO Christopher Davis.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Law Enforcement Get Around Encryption With Microsofts Help
  • Data From 56 Law Enforcement Agencies Stolen By Antisec, 10GBs Of Emails From 300 Accounts Posted Online
  • Authorities Shut Down Romanian ATM Skimmer Manufacturing Cybercriminal Ring
  • Spanish Payment Breach Prompts Huge German Card Recall
  • Radisson Hotels Breached, Sensitive Customer Data Exposed

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Law Enforcement Agencies In Spain And USA Dismantled One Of The Largest Botnets In History

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.