March 4, 2010

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites (pictured above is a screen shot of the Web site the men created where would-be Mariposa customers could visit for information on purchasing access to the botnet and other criminal services.)

Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries. Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.

“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. “In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Spain is one of nearly three dozen countries that is a signatory to the Council of Europe’s cybercrime treaty, but  Spanish legislators have not yet ratified the treaty by passing anti-cybercrime laws that would bring its judicial system in line with the treaty’s goals.

The Mariposa botnet takedown was orchestrated by a working group comprising Panda, the Georgia Tech Information Security Center, and Canadian security firm Defence Intelligence, which first detailed the workings of the botnet in a white paper released in May 2009.

On Dec. 23, 2009, the working group was able to “sinkhole’ the botnet by hijacking the command and control networks that were being used to orchestrate the botnet’s activities. But according to Defence Intelligence CEO Christopher Davis, a few days later, the alleged ringleader of the Mariposa botnet gang who goes by the hacker alias “Netkairo,” bribed an employee at a Spanish domain name registrar that the gang had been using to register Web site names that helped them control the botnet. Armed with those domains, Netkairo was able to rebuild the botnet, as the individual PCs previously enslaved by the Mariposa botnet were still programmed to regularly connect to those sites and download new marching orders.

Davis said that on Jan. 22, the hacker launched a distributed denial of service attack against Defense Intelligence’s Web site, using more than a million PCs the gang had managed to corral back into the Mariposa botnet. That assault, which forced the infected PCs to flood the company’s site with junk Web traffic, not only knocked Defence Intelligence offline, but took out networks of several other organizations that were using the same Internet service provider, including a local university and a few government agencies in Ottawa.

Lorenzana said the three men haven’t been named publicly because they haven’t yet been charged with a crime. Until that happens, which will probably be in a couple of weeks, the men are all free on their own recognizance. In the meantime, they are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot.

“The main problem is that even though the botnet itself has been taken down, these bots are all still infected, and these guys who operated the botnet can still go and download all the details of the data they have stolen,” Lorenzana said.

Juan Santana, CEO of Panda Security, said he hopes this case will spur Spanish lawmakers to amend the penal code to more specifically punish cyber crime activities.

“I don’t think these guys will go to jail, especially if it is the first time they have committed a crime,” Santana said. “The government needs to pass laws that are enforceable and enforced afterward. In the vast majority of countries, malicious hackers do not fear that if they do get caught that they will go to jail, because the benefit for them is far higher than the risk right now.”


18 thoughts on “‘Mariposa’ Botnet Authors May Avoid Jail Time

  1. Ben

    So why can’t they stick them with some form of crime relating to aiding in “robbery” of bank accounts or something along those lines… Possibly Racketeering of some sort over there

  2. bob

    @Ben “we will need to prove they also were stealing identities and other things”

  3. Super Target Me

    Cyber crime legislation in Spain is really poor. We need jugdes specialist in this cases. All the Panda Security, FBI, Defence Intelligence and Guardia Civil effort can´t go trash!!!

    We need in Europe more groups against cibercrime like CNCCS.

  4. d

    “Besides flooding capabilities…”

    Hmm… what other proof does the Spanish government need? ‘Mariposa’ should be Span’s test case

  5. Linda Foley

    How do you rent, who rents, botnets? We have a serious problem because this means an even higher group has malicious programs they “rent out.” That should be the law enforcement target

    1. CyberBob

      The world of malware is a cooperative industry where those who specialize in various segments and layers of the market work with each other… development, marketing, delivery, support, labor, data harvesting, analysis, etc.

    2. rich

      a lot of people rent botnets (assumption). people that want to spam a large number of folks, people that want to ddos competitors, etc. There are tons of “great” uses for a botnet. Even just having 20 pc’s at your disposal would be useful for a smart criminal . Imagine how much more useful your spam or rate of infection would be if it the source was “trusted name”…aka your friends email address/infected machine.

      the possibility of making money drives this stuff…just like most (all?) other criminal activity…

      1. BrianKrebs Post author

        Yeah, I meant to include this in the story, but the Spanish police captain I spoke to said these guys were making about 3,000 Euros a month renting out their botnet.

        1. JCitizen

          Thanks for the update Brian; great article!

        2. KFritz

          That doesn’t sound like a very good rate of return for the number of infected machines. Your description of that American hacker in ?2006? sounded as though he was making a much better return. Is there deflation in ‘malwareland?’

    3. TheGeezer

      Linda, the botnet business really is a business, with multiple operators providing specialized services at every level. The following link is to a blog which lists the services and prices offered by one botnet. Just like legitimate commercial Internet service providers, 24×7 customer support is included. They have a help desk!

      http://blog.damballa.com/?p=454

  6. TheGeezer

    Brian, it’s not hard to see why you got all those awards. Your article is by far the best I’ve seen on this topic.

    I’m not even sure RICO (Racketeer Influenced and Corrupt Organizations Act) which is part of the “Organized Crime Control Act” passed in the US in 1970 would be strong enough for successful prosecution of people running a botnet.

    Our laws, as well as Interpol’s definition of RICO type laws, need to be updated to allow prosecution for installing software which had as its purpose the theft of personal information. Sending emails with links referencing fake bank sites should itself be a crime (email fraud?). There should be no need to prove that the exploit actually succeeded.

    I doubt that could happen today, however. The original act was sponsored by democratic senator John McClellan. If that act would be submitted today it would probably be filibustered as being too intrusive.

  7. Information

    They don’t need to rent the botnet itself.
    They simply buy the bot software and rent the servers to host the botnet. This is done mostly in offshore datacenters that have little to no law in this subject.

    With a net with that size they must have been making many thousands a month, way more than 3,000 euro monthly. These people have almost unlimited ways to monetize them, the only limit is their imagination.

  8. Daniel

    “Ottowa” eh? I believe you mean Ottawa.
    Signed — A Canucklehead.

  9. Dan

    Mayhaps the poor Spanish have never heard of “Breaking and Entering”? Cyber or not, this is what those guys did.

  10. Kevin Stevens

    Your title is misleading. These are not the mariposa authors. There is one author and he is Iserdo. Also, they used butterfly bot (bfb), not the new bot which is called butterfly flooder (bff). Also, Zeus 1.3 has full support for vista/Win 7, not just 1.4. Version 1.4 is still in beta.

Comments are closed.