Massive Botnet Foiled but Thousands Roam Free

The three men accused of unleashing a vicious cyberassault that infected millions of computers worldwide may now be in jail, but the damage they left behind should serve as a warning for computer users to stay vigilant.

The Mariposa botnet, a massive network of infected computers designed to steal account information, infiltrated an estimated 12.7 million personal, corporate, government and university computers causing millions of dollars in damage.

“It became a very visible botnet because of its size,” said Pedro Bustamante, a senior research advisor at the information technology security firm Panda Security, which helped with a collaborative effort to shut down the botnet and find the culprits.

Tracking Down Botmasters

Panda Security, along with Defence Intelligence and the Georgia Tech Information Security Center, spearheaded the Mariposa Working Group as a collaborative effort to track down the botmasters with other international security experts and law enforcement agencies after Mariposa was discovered last May.

The group tracked down the command-and-control structure of Mariposa to get a firsthand look at the communication channels used by the botmasters. The working group then coordinated a worldwide shutdown of the botnet on December 23.

“If [the botmasters] would have stayed low key, we probably would have never found them,” Bustamante told TechNewsWorld. “Because the botnet grew so much, we were able track them down.”

Panda Security is now helping police analyze the evidence against the accused botmasters who were arrested in Spain earlier this week.

Cybercrime Network

The accused botmasters might not have been technically sophistcated themselves, Bustamante said, but the trio had lots of connections from the underground to build and grow the botnet, steal thousands of credentials, and then launder the proceeds.

“They had a huge network of cybercrime providers,” noted Bustamante.

The main botmaster — nicknamed “Netkairo” and “hamlet1917” — has some coding skills, as do his partners “Ostiator” and “Johnyloleante,” Bustamante said. The trio created some of their own tools. However, most of their work was subcontracted out.

Mariposa injected itself into the Internet Explorer Web browser, bypassing computer firewalls, Bustamante explained. The botnet would then spread on peer-to-peer networks and through instant messaging, proceeding undetected.

“Using this very silent method, it was able to spread to millions and millions of users,” he said.

Thousands of Botnets Roaming Freely

What would have happened if the cyberattackers would have stayed under the radar and kept their operation smaller?

“This is a key question that should be asked,” Bustamante said. “Mariposa had a happy ending, but the sad reality is that there are thousands of botnets roaming freely, and no one is proactively tracking them down.”

Laws around the world need to be stronger to crack down on botmasters, said Bustamante, and the private sector needs to work with government to find and stop botnets.

“Only a small portion of them are shut down and make news,” he pointed out.

It is not uncommon for a computer to have more than one botnet lurking under the surface, and new botnets are popping up all the time.

“There is not a lot being done to prevent it from getting worse,” Bustamante said.

Purchasing Weapons to Attack Lucrative Targets

The alleged Mariposa botmasters reportedly purchased it from rogue programmers on the open market, highlighting why botnets are becoming particularly dangerous, said Randy Abrams, director of education at IT security firm ESET.

“Since sophisticated programmers are able to make this kind of software available, average people are able to use these purchased weapons to attack lucrative targets,” Abrams said, noting the trio used only a portion of the botnet’s potential.

These particular botmasters targeted high-profile companies, Abrams said, noting that more than half of the Fortune 1000 companies globally were infected, causing millions in damages.

Often, the only way to fix a computer that has been infected with suspicious software, such as a botnet, is to rebuild the computer from scratch, he said.

Companies that regularly updated their software might still have been too late to detect the Mariposa botnet, because it did not change the way a computer looked, which gave companies a false sense of security, Abrams said.

“This has really opened some eyes, especially in small-to-medium sized companies,” he remarked.

If big companies with highly trained security experts couldn’t avoid being hit, then how should smaller companies with limited IT personnel respond?

“They should recognize that they need to step up their understanding of computer security,” said Abrams.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels