Massive botnet shutdown by Guardia Civil
Collaborative cybercrime investigation results in three arrests, more pending
Personal and financial data compromised from massive cyber attack impacting nearly 13 million unique IP addresses, 50 percent of Fortune 1000 companies
Preliminary damages estimated to be in the millions of dollars
According to IT security firms Panda Security and Defence Intelligence, the Mariposa botnet, a massive network of infected computers designed to steal sensitive information, has been shutdown and three suspected criminals accused of operating the botnet have been arrested by Spanish law enforcement. Mariposa stole account information for social media sites and other online email services, usernames and passwords, banking credentials, and credit card data through infiltrating an estimated 12.7 million compromised personal, corporate, government and university IP addresses in more than 190 countries. The botnet was shutdown and rendered inactive on December 23rd, 2009 thanks to the collaborative effort of different security experts and law enforcement, including Panda Security, Defence Intelligence, the FBI and Spanish Guardia Civil.
With almost 13 million compromised computers, Mariposa is one of the largest botnets ever reported on record. Christopher Davis, CEO for Defence Intelligence, who first discovered the Mariposa botnet, explains: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”
Following the discovery of Mariposa’s existence in May 2009, Defence Intelligence, Panda Security and the Georgia Tech Information Security Center spearheaded the Mariposa Working Group as a collaborative effort with other international security experts and law enforcement agencies to eradicate the botnet and bring the perpetrators to justice. The main botmaster, nicknamed “Netkairo” and “hamlet1917?, as well as his immediate botnet operator partners, “Ostiator” and “Johnyloleante”, were arrested earlier this month.
Pedro Bustamante, senior research advisor at Panda Security, said: “Our preliminary analysis indicates that the botmasters did not have advanced hacking skills. This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss. We’re extremely proud of the coordinated effort made by all of the Mariposa Working Group members and the speed at which we were able to bring down this massive botnet and the criminals behind it.”
Late last year, the Mariposa Working Group infiltrated the command-and-control structure of Mariposa to observe the communication channels used by the suspected botmasters. These channels relay information from the compromised computers to the perpetrators and are commonplace, similar to those used by the Zeus, Conficker and Koobface botnets or as shown recently in the Google/Aurora operation. After analyzing the main command-and-control servers the Working Group was able to facilitate the coordinated worldwide shutdown of the Mariposa Botnet on December 23rd. Panda Security is currently leading a comprehensive analysis of the malware, as well as coordinating international communication among other antivirus companies to ensure that their signatures are updated.
