Crackdown on Mariposa: Botnet Infected 13 Million PCs

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Security software firms worked with international law enforcement agencies, the FBI and the Georgia Tech Information Security Center to neutralize and eventually arrest three criminals who allegedly masterminded a massive botnet scam that ensnared more than 13 million PCs.

The suspects, who officials say called themselves the "Nightmare Days Team" and dubbed their botnet project "Mariposa," were arrested at their Basque Country residence by Spanish authorities last month. The arrests came after a year-long investigation by local law enforcement agencies and security software vendors Panda Security, which is headquartered in Bilbao, Spain, and Defence Intelligence of Ottawa, Ontario.

Though security experts described the hacking trio as "relatively unskilled cyber criminals," they managed to use Mariposa -- the Spanish word for butterfly -- to steal account login information for social media sites, online e-mail services, user names and passwords to banking accounts and credit card data by infiltrating more than 12.7 million compromised personal, corporate and government IP addresses in more than 190 countries.

Officials said the botnet was shut down on Dec. 23, 2009 after operating largely unhindered for almost a year. Mariposa accessed more than 13 million PCs in all, making it one of the largest and most destructive botnets in history.

"Our preliminary analysis indicates that the botmasters did not have advanced hacking skills," Pedro Bustamante, Panda Security's senior research advisor, said in a blog posting detailing the attacks and subsequent investigation.

"This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss."

After the Mariposa botnet was first discovered by Defence Intelligence, CEO Christopher Davis in May 2009, the two security software firms joined with the Georgia Tech Information Security Center to form what they called the Mariposa Working Group. It later expanded to include the Guardia Civil, one of the two main law enforcement agencies in Spain.

"It would be easier for me to provide a list of the Fortune 1000 companies that weren't compromised, rather than the long list of those who were," Davis said.

Investigators said the hackers attacked vulnerabilities in Microsoft's Internet Explorer browser software to infect machines with the Mariposa bot client.

Once inside the machines, the botmaster installed a variety of malware applications including keyloggers, banking Trojans, such as Zeus, and remote-access Trojans to add additional functionality to the zombie PCs.

Panda Security officials said the botmasters made a nice living for almost a year, selling parts of the botnet to other malware purveyors, installing pay-per-install toolbars, and selling stolen login credentials, account information and credit cards to make transactions online and in other countries.

Mariposa was spread "extremely effectively, via P2P networks, USB drives and MSN links," officials said.

"Nobody has seen anything of this size before," said Lieutenant Col. Jose Antonio Berrocal of the Spanish Civil Guard's Central Technological Unit, in a statement.

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.