Wednesday, March 03, 2010

Unskilled Cyber Criminals Inflict Major Damage

Last month, the Spanish Civil Guard, working in conjunction with the FBI and security firms Panda Security and Defense Intelligence, wrapped up a major cybercrime investigation involving a botnet containing 12.7 million PCs in 190 countries.

First identified in May 2009 and shut down in December, the Mariposa botnet stole login credentials for banks and email services for Windows PCs.
Mariposa (Spanish for butterfly) bonnet (sic) malware spread via P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, exposed machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of compromised systems.

The botmasters made money by selling parts of the botnet to other cybercrooks, installing pay-per-install toolbars, selling stolen credentials for online services and laundering stolen bank login credentials and credit card details via an international network of money mules. Search engine manipulation and serving pop-up ads was also part of the illegal business model behind the bonnet.

The criminal gang behind Mariposa called themselves the DDP (Días de Pesadilla or Nightmare Days) Team. They nearly always connected to the Mariposa controlled servers from anonymous VPN (Virtual Private Network) services, preventing investigators from identifying their real IP addresses.

However when the December shutdown operation happened, the gang’s leader, alias Netkairo, panicked in his efforts to regain control of the botnet. Netkairo made the fatal error of connecting directly from his home computer instead of using the VPN, leaving a trail of digital fingerprints that led to a series of arrests two months later. [...]

Domains used by Mariposa were unwittingly hosted by US ISP CDmon,which assisted security researchers and law enforcement officials in taking down the botnet.

The main botmaster, nicknamed “Netkairo” and “hamlet1917”, as well as his two alleged lieutenants “Ostiator” and “Johnyloleante” have been charged with cybercrime offences. More arrests are expected to follow.
Spanish law prevents the public release of the names of the botmasters' who, according to one researcher, do not have advanced computer skills.

No comments:

Home

eXTReMe Tracker