The Panda researcher delivered these comments during his CSI Conference session designed to glean lessons from the Mariposa botnet, whose primary operators were based in Spain, just a short train ride from the company’s labs. Mariposa, Spanish for butterfly, was one of the largest known botnets at the time of its takedown according to Correll, with more than 13 million unique IP addresses.
Panda personnel collaborated with Spanish authorities, the FBI, and other anonymous researchers to shut down the botnet after several complicated legal maneuvers, beginning around Christmas time 2009. However, the takedown was hardly the most interesting aspect of this story.
Although Mariposa accomplished its goal of being installed on millions of machines while remaining undetected, all the while stealing credentials through various means, the Spain-based operators of the botnet hardly received their money’s worth for all the legal trouble they subsequently experienced. (The Slovenian bot author was also subsequently arrested by athourities in that country during a separate sting, while only two of the three operators based in Spain were arrested.)
After authorities sized equipment related to controlling the botnet, Correll noted that the “cybercriminal was dumb enough to store all of the information unencrypted on his [personal] hard drive”, which made the forensic analysis quite simple. It provided an easy-to-follow roadmap of the crime, including the names of money mules, money transfers, and so on.
What the researchers also found were stolen credentials on more than a million people, such as banking information, internet logins, and credit card numbers. Correll also said that over half of Fortune 1000 companies were infected by the Mariposa botnet.
Correll considered the Mariposa operators based in Spain – know as Netkairo and Ostiator – to be less than adept at covering their tracks. This was especially the case for Netkairo, who purchased a commercial packer used in the Mariposa toolkit using a Western Union transfer in his own name.
“He wasn’t a really smart guy”, opined Correll. “I don’t think he really thought he would ever be caught.”
The Panda threat analyst was even more critical of the operators’ technical skills. Panda’s analysis found a cookie stuffer that when unused on Netkairo’s hard drive. “I think they just didn’t know how to use it, said Correll. “They weren’t really smart people.”
He believes the criminals responsible for Mariposa could easily have made more money off the botnet if they were more technically savvy. For all the credentials and infected machines, the crew raked in only about $3000 per month per person, which calls into question the wisdom of the entire endeavor.
Correll said that the operators likely did this for hobby rather than having visions of being criminal masterminds. This was apparent when Netkairo and Ostiator visited Panda’s facility in Spain looking for jobs after the takedown.
“These guys really didn’t have any experience”, Correll joked after seeing the pair’s CVs. “We were all assuming they did based on how they ran the network.”
Technical prowess aside, the Mariposa saga serves as a reminder of how easy it is to conduct cybercrime in today’s environment, especially given the availability of easy-to-use crimeware kits available on hacking forums, a point that the Panda analyst made a point to drive home. “They were hardly cyber kingpins, and more like cyber idiots”, said Correll. “But they were still able to control more than 13 million machines.”