Spanish Police Arrest Mariposa Botnet Masterminds

Three men who allegedly ran the Mariposa botnet that spread malicious programming to millions of PCs in 190 countries, have been arrested by Spanish security forces, who worked in conjunction with security firms Defense Intelligence and Panda Security.

“Mariposa” means butterfly in Spanish, but the actual botnet was anything but small and delicate, being one of the largest ever shut down. Targeted data included bank account details, user names and passwords, with enslaved PCs also forced into denial-of-service attacks. The ringleaders also used the botnet to sell pay-per-install toolbars and stolen credentials for online services.

According to Defense Intelligence, Mariposa managed to compromise more than 11 million unique IPs between 23 December, 2009 and 9 February. The botnet spread through a combination of instant messenger programs, P2P networks and USB keys, with Defense Intelligence observing attempts to utilise MSN Messenger to spread malicious code.

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, senior research advisor at Panda Security, wrote in a 3 March statement. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber-criminals to inflict major damage and financial loss.”

Defense Intelligence claims it had been tracking Mariposa since May 2009. A Mariposa Working Group of IT security personnel managed to infiltrate Mariposa’s command-and-control structure late in 2009, according to a Panda Security statement, and then used the information gleaned from analysing the botnet’s servers to initiate a co-ordinated shutdown on 23 December. Shortly after that shutdown, hackers launched a retaliatory Denial of Service attack against Defense Intelligence, which managed to knock a subset of customers for one ISP offline for a brief period.

Spanish police later arrested the three men suspected of masterminding the botnet. One of those botmasters worked during the noms de guerre “Netkairo” and “hamlet1917,” and partnered with two other individuals operating under the handles “Ostiator” and “Johnyloleante.”

“Mariposa’s the biggest ever to be shut down, but this is only the tip of the iceberg,” Mark Rasch, former head of the Justice Department’s computer crimes unit, is quoted by Reuters in a 3 March article. “These things come up constantly.”

IT companies and local governments have been moving recently to shut down botnets, which have an ever-increasing capability to compromise the personal information of millions of people. On 22 February, a federal judge in Virginia responded to a complaint by Microsoft and ordered the shutdown of 277 Internet domains associated with Waledac, a botnet supposedly responsible for infecting hundreds of thousands of computers worldwide, as well as 651 million spam emails that clogged Hotmail inboxes between 3-21 December, 2009.