[Infowarrior] - Spain busts global "botnet" masterminds

Richard Forno rforno at infowarrior.org
Wed Mar 3 14:20:36 UTC 2010 

Spain busts global "botnet" masterminds
Jim Finkle
BOSTON
Wed Mar 3, 2010 7:40am EST
http://www.reuters.com/article/idUSTRE6214ST20100303
BOSTON (Reuters) - Spanish police have arrested three men accused of  
masterminding one of the biggest computer crimes to date -- infecting  
more than 13 million PCs with a virus that stole credit card numbers  
and other data.

The men were suspected of running the Mariposa botnet, named after the  
Spanish word for butterfly, Spain's Civil Guard said on Tuesday. A  
press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in homes, government  
agencies, schools, more than half of the world's 1,000 largest  
companies and at least 40 big financial institutions, according to two  
Internet security firms that helped Spanish officials crack the ring.

"It was so nasty, we thought 'We have to turn this off. We have to cut  
off the head,'" said Chris Davis, CEO of  Defense Intelligence Inc,  
which discovered the virus last year.

The security firms -- Defense Intelligence Inc. of Canada and Panda  
Security S.L. of Spain -- did not say how much money the hackers had  
stolen from their victims before the ring was shut down on December  
23. Security experts said the cost of removing malicious program from  
13 million machines could run into tens of millions of dollars.

Mariposa was programed to secretly take control of infected machines,  
recruiting them as "slaves" in an army known as a "botnet." It would  
steal login credentials and record every key stroke on an infected  
computer and send the data to a "command and control center," where  
the ringleaders stored it.

"Basically they were going after anything that would make them money,"  
Davis said.

Mariposa initially spread by exploiting a vulnerability in Microsoft  
Corp's Internet Explorer Web browser. It also contaminated machines by  
infecting USB memory sticks and by sending out tainted links using  
Microsoft's MSN instant messaging software, he said.

A Microsoft spokeswoman said the company did not immediately have any  
comment.

The suspected ringleader, nicknamed "Netkairo" and "hamlet1917," was  
arrested last month, as were two alleged partners, "Ostiator" and  
"Johnyloleante," according to Panda Security.

Panda Security Senior Research Advisor Pedro Bustamante said that one  
of the three was caught with 800,000 personal credentials when Spanish  
police arrested him.

In addition to collecting data, the three men rented out millions of  
enslaved machines to other hackers, according to Bustamante.

The Mariposa botnet is one of many such networks, the bulk of which  
are controlled by syndicates that authorities believe are based in  
eastern Europe, southeast Asia, China and Latin America. While  
authorities sometimes succeed in shutting them down, they rarely catch  
the criminals behind the networks.

"Mariposa's the biggest ever to be shut down, but this is only the tip  
of the iceberg. These things come up constantly," said Mark Rasch,  
former head of the U.S. Department of Justice computer crimes unit.

He said he suspects there were more than three people behind Mariposa,  
and that any ringleaders who were not arrested could soon put the  
network back online.

(Reporting by Jim Finkle, additional reporting by Madrid newsroom.  
Editing by Robert MacMillan)

More information about the Infowarrior mailing list