The Mariposa (“butterfly” in Spanish) botnet, which infected nearly 13 million PCs and spread to more than 190 countries, has been taken down, thus ending a global menace that affected more than half of the Fortune 1000 companies and more than 40 major banks. Three people alleged to be the botnet’s ringleaders have been arrested by authorities in Spain; more arrests are expected soon in other countries.
According to the AP report, Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, said that the three suspects are Spanish citizens with no criminal records. They weren’t hackers but had underworld contacts who helped them construct and run the botnet.
The botnet was set up to steal online login credentials for banks as well as email services from compromised Windows PCs.
Panda Security was part of the Mariposa Working Group (MWG) along with Defence Intelligence, the Georgia Tech Information Security Center and other international security experts and law enforcement agencies. MWG was formed to eradicate the botnet and bring the perpetrators to justice. According to PandaLabs blog, here’s what went down:
The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.
Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.
On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.
Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.