Mariposa botnet masters arrested, 12M+ hosts compromised

According to a statement published by the Spanish Ministry of Interior, the botnet masters behind a 12M+ infected hosts botnet dubbed Mariposa, were arrested in a cooperative effort between law enforcement, security vendors and the academic community.

Following the arrest of one of the botnet masters, law enforcement officers seized sensitive data belonging to 800,000 users across 190 countries, and found evidence of infected hosts located within the networks of 500 of the US Fortune 1,000 companies and more than 40 major banks.

Just how sophisticated were the botnet masters behind Mariposa? You’ll be surprised to find out.

• On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As  mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN. Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.

The initial reports describe the group as not so technically sophisticated “normal people” making a lot of money through cybercrime. A logical question emerges - how is it possible that a group of “normal people” can build such a massive botnet? By outsourcing.

http://blogs.zdnet.com/security/?p=5587&tag=nl.e539