Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mariposa Botnet Beheaded

Posted by kdawson on from the sting-like-a-butterfly dept.

northernboy and many other readers sent news of the beheading of the Mariposa botnet with three arrests in Spain. "Defense Intelligence of Ottawa working with ISPs and Spanish authorities have taken down yet another > 12M PC botnet, called Mariposa. The three top-level operators are in custody, but remain anonymous under Spanish law (how quaint: apparently in Spain, the accused have some right to privacy). AP is claiming that the botnet included systems in roughly half of the Fortune 1000 companies, scattered over 190 countries. Interesting details: none of the three principals has a prior criminal record. Although apparently hardworking, they are not uber-hackers, but rather had connections to the Spanish mafia, which apparently helped to equip them. At the time of arrest, they were not showing signs of their significant new income level. From the article: 'Chris Davis, CEO of Ottawa-based Defence Intelligence, said he noticed the infections when they appeared on networks of some of his firm's clients, including pharmaceutical companies and banks. It wasn't until several months later that he realized the infections were part of something much bigger. After seeing that some of the servers used to control computers in the botnet were located in Spain, Davis and researchers from the Georgia Tech Information Security Center joined with software firm Panda Security, which is headquartered in Bilbao, Spain. The investigators caught a few lucky breaks. For one, the suspects used Internet services that wound up cooperating with investigators. That isn't always the case.'"

17 of 177 comments (clear)

  1. Re:Another... by someone1234 · · Score: 4, Funny

    This was done much better than the previous one done by Microsoft. Catching the human masters and putting them in "federal pound me in the ass prison" is the right solution to this problem.

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
  2. apparently in Spain, the accused have privacy by captainpanic · · Score: 5, Insightful

    From TFA:

    how quaint: apparently in Spain, the accused have some right to privacy

    That's because in Spain you're not guilty until proven guilty by a court of law. The days of the Spanish inquisition are over.

    What country doesn't protect its accused in the 21st century?

    1. Re:apparently in Spain, the accused have privacy by realityimpaired · · Score: 4, Informative

      In both the USA and Canada, you're allowed to publish the names of the accused as long as they're adults. The accused need to request that the court protect their anonymity by ordering that their names not be published until after the trial, and the court maintains the right to deny that request.

      For juvenile offenders, it's a different story... young offenders must always be referred to by pseudonym to protect their anonymity, and their records are expunged when they turn 18. Unless, of course, they're tried as adults, which has been known to happen in cases of violent crime.

    2. Re:apparently in Spain, the accused have privacy by bhamlin · · Score: 5, Funny

      The days of the Spanish inquisition are over.

      I wasn't expecting that...

    3. Re:apparently in Spain, the accused have privacy by julesh · · Score: 4, Informative

      Of course, we are talking about botnet script-kiddies after all, so whose to say these upstanding individuals aren't actually minors as well?

      The Cnet article provides their ages, which range from 25 to 31.

    4. Re:apparently in Spain, the accused have privacy by stiggle · · Score: 4, Insightful

      Keeping those accused anonymous to the public until the conviction helps prevent jury prejudice from what they see in the media.

      How can you expect a jury not to be influenced by what they is in the media before they sit for the trial.

    5. Re:apparently in Spain, the accused have privacy by Culture20 · · Score: 5, Informative

      In the U.S. press, it would be portrayed as:
      "Three alleged EVIL HACKERS were arrested today for allegedly HACKING MILLIONS OF COMPUTERS! ZOMG!" And then they'd go to the person's home, and knock on the door. If no one answered, that would be taken as damning evidence by the reporter. If a family member came to the door but said the accused wasn't there, that would be taken as damning evidence by the reporter. If the accused were seen and questioned, but said they couldn't comment on the case, that would be taken as damning evidence by the reporter. If a dog farted, that would be taken as damning evidence by the reporter...
      allegedly

    6. Re:apparently in Spain, the accused have privacy by Archon-X · · Score: 4, Insightful

      Which is done, of course, with the understanding that these people are again innocent as they have not been proven otherwise. Since they are innocent, there is nothing for them to be embarrassed about, and no reason not to publish their names.

      Unless they stand accused of something embarassing, like: rape, paedophelia, fraud, beating up grandmas, etc.

  3. W32.Pilleuz by sleekware · · Score: 4, Informative

    Discovered: September 29, 2009
    Updated: September 30, 2009 8:32:32 AM
    Also Known As: W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software]
    Type: Worm
    Infection Length: 109,056 bytes
    Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

    W32.Pilleuz is a worm that spreads through file-sharing programs, Microsoft instant messaging clients and removable drives. It also opens a back door on the compromised computer.

    Currently, W32.Pilleuz has been most commonly referred to as the Mariposa or Butterfly botnet.

    Source: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99

  4. Re:Dumb Criminals by julesh · · Score: 5, Funny

    If I ever had to 'go rouge' I feel that I could last for years just off of common sense alone by using different public computers in a place with no cameras.

    I think I might do the same if I ever go "rouge".

  5. Re:Different article/same topic by FyRE666 · · Score: 4, Interesting

    "What gives these bloody do-gooders the authority to "take over" other people's servers?"

    The same authority I have to "take over" someones car keys if I see them staggering out of a bar, and fumbling around to find the lock on their door while throwing up all over the hood. If you're acutely aware, and certain, that your non-action is allowing an illegal activity to take place then why not intervene? The problem today is that too many people just stand there like idiots doing nothing in the face of evil or criminal activity. The fact the servers these shitbags were using were probably compromised, or funded by illegal activities is neither here nor there.

    --
    Code, Hardware, stuff like that.
  6. Re:Different article/same topic by ConceptJunkie · · Score: 4, Insightful

    The most common things people do when they are witnesses to someone committing an illegal activity is re-elect him.

    --
    You are in a maze of twisty little passages, all alike.
  7. If ISPs helped... by Nicopa · · Score: 4, Interesting

    If ISP helped authorities on these things, there wouldn't be botnets, nor spam. Many attempts at preventing spam stop at their refusal to help. It would be nice to force them by lay to cooperate with spam fighting efforts. Sadly laws to force them to cooperate fighting "piracy" seem to pass easier..... =/

  8. Re:Another... by entrigant · · Score: 5, Insightful

    What the hell is wrong with you two? The only situation I can find this even remotely acceptable is in response to verified abuse complaints, and even then the appropriate resolution is attempt to contact the customer then disable the entire connection if the customer is unable to resolve the issue. Depending on the severity you don't necessarily need to do it in that order.

    I'm leasing an internet connection. You route IP packets destined for my address directly to me, and you route any and every IP packet I send to the appropriate next hop. The end. No if's, and's or but's. No blocked, ports, no traffic shaping, no injected tcp resets... nothing. Just route the damn traffic.

  9. Re:Another... by NormalVisual · · Score: 4, Informative

    Did you not read the parent's comment about having ports opened on request before you decided to start flinging the ad homs? The vast majority of home users don't grab their mail from remote servers via POP or IMAP (POP is on port 110, not 25, BTW), and the vast majority of Yahoo and Google mail is delivered via their web interface.

    Jesus Christ, use a little bit of critical thought before nerdraging.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
  10. Pentalty for 12 million botnet = 6 years by guanxi · · Score: 4, Interesting

    Here's one reason botnets thrive: In addition to the fact that the perpetrators are likely to get away with it, per one article, They face up to six years in prison if convicted of hacking charges..

    6 years max? For hacking 12 million computers? Ignoring the intrusions, how much did it cost the victims in labor and downtime to fix it? Hundreds of millions? And add to that the damage they did with the botnet; I don't know what this one did, but it could be spam, DDoS attacks, stolen personal info, extortion, etc.

    Also, I still don't understand why the U.S. government doesn't treat these wide-spread, expensive crimes as a priority. Given the scale of these crimes, there should be a large task force pursuing them. I get the sense they are looked on as computer problems, not crimes.

  11. At Least The Group At Georgia Tech Gets It by damn_registrars · · Score: 4, Insightful

    I've heard of this group before. They are one of the few who actually understand what really needs to be done to make an impact on the spamming epidemic. Rather than building enormous black/white lists or developing ever more CPU-intense filtering algorithms, they are actually going after the sources. They identify where spam is actually originating - that is, the spamvertising domains, not the spamvertised domains - and figure out how to shut it down. They are finding where the botnets and their requisite domains can be targeted and getting the work done. And they are doing it within the confines of a civilized society, rather than the bloodthirsty mercanaries that so many people here are calling for regularly.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.