Butterfly botnet's wings clipped, after infecting 13m PCs

 

Gallery

By Reuters

Posted on 3 Mar 2010 at 08:11

Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date.

The Mariposa botnet - named after the Spanish word for butterfly - infected more than 13 million PCs with a virus that stole credit card numbers and other data.

Mariposa had infected machines in 190 countries in homes, government agencies, schools, more than half of the world's 1,000 largest companies and at least 40 big financial institutions, according to two internet security firms that helped Spanish officials crack the ring.

It was so nasty, we thought 'We have to turn this off. We have to cut off the head'

"It was so nasty, we thought 'We have to turn this off. We have to cut off the head,'" said Chris Davis, CEO of Defense Intelligence, which discovered the botnet last year.

The security firms - Defense Intelligence of Canada and Panda Security of Spain - didn't say how much money the hackers had stolen from their victims before the ring was shut down on 23 December. Security experts said the cost of removing the malicious program from 13 million machines could run into tens of millions of dollars.

Mariposa was programed to secretly take control of infected machines. It would steal login credentials and record every key stroke on an infected computer and send the data to a "command and control center," where the ringleaders stored it. "Basically they were going after anything that would make them money," Davis said.

Mariposa initially spread by exploiting a vulnerability in Internet Explorer. It also contaminated machines by infecting USB memory sticks and by sending out tainted links via Microsoft's MSN instant messaging software.

A Microsoft spokeswoman said the company did not immediately have any comment.

Ringleaders arrested

The suspected ringleader, nicknamed "Netkairo" and "hamlet1917," was arrested last month, as were two alleged partners, "Ostiator" and "Johnyloleante," according to Panda Security.

Panda Security Senior Research Advisor Pedro Bustamante said that one of the three was caught with 800,000 personal credentials when Spanish police arrested him.

In addition to collecting data, the three men rented out millions of enslaved machines to other hackers, according to Bustamante.

The Mariposa botnet is one of many such networks, the bulk of which are controlled by syndicates that authorities believe are based in eastern Europe, southeast Asia, China and Latin America. While authorities sometimes succeed in shutting them down, they rarely catch the criminals behind the networks.

"Mariposa's the biggest ever to be shut down, but this is only the tip of the iceberg," said Mark Rasch, former head of the U.S. Department of Justice computer crimes unit. "These things come up constantly."

He suspects there were more than three people behind Mariposa, and that any ringleaders who were not arrested could soon put the network back online.