Mariposa can no longer create a storm
The backstory of the long hard fight against a botnet was carried by PandaLabs:
In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.
Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.
Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.
On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.
Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010.
And that leads to today’s news from Computer World
Slovenian police will hold a press conference on Friday to discuss the arrest of three men in connection the massive Mariposa botnet that was disabled late last year.
A 23-year-old man was arrested in Maribor, Slovenia, about 10 days ago, said Leon Keder, press officer for the Slovenian National Police. He has been released but is expected to be charged with computer-related crimes, Keder said. The U.S. Federal of Bureau of Investigation confirmed the arrest on Wednesday morning.
Two others were also arrested. Their names can’t be released due to restrictions under Slovenian law, Keder said.
Millions of computers worldwide were infected with the Mariposa botnet code, which allowed hackers to siphon information from those machines and launch denial-of-service attacks against others.
FBI Director Robert S. Mueller said in March that Mariposa had infected the computers of Fortune 1000 companies and major banks. Mariposa’s authors changed the botnet’s code as frequently as every 48 hours in order to go undetected by security software.
According to the FBI, the Slovenian Criminal Police identified and arrested a 23-year-old known as “Iserdo,” who stands accused of creating malware known as “Butterfly Bot” that was used to build the Mariposa botnet. Mariposa is believed to have infected between 8 million and 12 million computers. The malware’s target: credit card and bank account information, as well as passwords for Websites and financial institutions.