Malicious virus network smashed

Malicious virus network smashed

March 3, 2010.

Computer users - and aren't we all these days - will be pleased by the news that European investigators have smashed one of the world's biggest networks of virus-infected computers, a criminal system that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs.

Associated Press reports that the criminal botnet infected PCs inside more than half of the Fortune 1 000 companies and more than 40 major banks, according to Spanish investigators working with private computer-security firms, who have arrested three alleged ringleaders of the so-called Mariposa botnet.

This criminal enterprise surfaced in December 2008 and grew into one of the biggest perpetrators yet of cybercrime. More arrests are expected soon in other countries, investigators have revealed. More details are hoped for at a press conference scheduled for Madrid later today (Wednesday).

AP says that the arrests are significant because the masterminds behind the biggest botnets aren't often taken down. And the story of investigators' hunt for them offers a rare glimpse at the tactics used to trace the origin of computer crimes.

The suspects in the Mariposa case weren't brilliant hackers but had underworld contacts who helped them build and operate the botnet, Cesar Lorenza, a captain with Spain's Guardia Civil, told The Associated Press.

Investigators were examining bank records and seized computers to determine how much money the criminals made.

"They're not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits - the most frightening thing is they are normal people who are earning a lot of money with cybercrime," Lorenza said in describing the arrested persons, whom he said were ordinary Spanish citizens with no criminal records.

If convicted, those arrested could face up to six years in prison.

Authorities identified the suspects by their Internet handles and their ages: "netkairo," 31; "jonyloleante," 30; and "ostiator," 25.

The Mariposa botnet, which has been dismantled, was easily one of the world's biggest. It spread to more than 190 countries, according to researchers. It also appears to be far more sophisticated than the botnet that was used to hack into Google Inc. and other companies in the attack that led Google to threaten to pull out of China.

The researchers that helped take down Mariposa first started looking at it in the spring of 2009.

Chris Davis, CEO of Ottawa-based Defence Intelligence, said he noticed the infections when they appeared on networks of some of his firm's clients, including pharmaceutical companies and banks. It wasn't until several months later that he realized the infections were part of something much bigger.

After seeing that some of the servers used to control computers in the botnet were located in Spain, Davis and researchers from the Georgia Tech Information Security Center joined with software firm Panda Security, which is headquartered in Bilbao, Spain. Responsible Internet service companies cooperated in rooting out the people behind Mariposa - a Spanish word for butterfly.

At one stage one of the suspects engaged in a virtual tussle over the internet as he tried to retrieve control of a botnet taken down by investigators; he was hoist by his own petard as investigators were able to zero in on him and document his malicious activity and domains.

Some of the techniques used by the cybercrooks to build their botnets by distributing viruses included infecting computers by instant-messaging malicious links to contacts on infected computers. They also planted viruses on removable thumb drives and through peer-to-peer networks.

"I don't think there's anything about this guy that makes him smarter than any of the other botnet guys, but the (Mariposa) software, it's very professional, it's very effective," said Pedro Bustamante, senior research adviser with Panda Security. "It came alive and started spreading and it got bigger than him."