Cyber criminals related to the Mariposa botnet were finally arrested last month. The Mariposa botnet, a network of 12 zombie computers assembled together to steal personal information, is believed to have infected approximately 13 million computers in more than 190 countries. The botnet spread over P2P networks, infected USB drives and through web links. After a user was infected, malware would begin to install and allow the hackers to access sensitive information.
The Register reports that “half the roster of Fortune 1000 companies harboured machines infected by Mariposa at one time or another.” In fact, Christopher Davis, chief exec at Defence Intelligence in Canada, says, “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”
After Davis first discovered Mariposa in May 2009, he teamed up with Georgia Tech Information Security Center, PandaLabs and law enforcement personnel to form the Mariposa Working Group. After months of collaboration, Panda Security, other security experts and law enforcement were able to shut down Mariposa on December 23, 2009.
In a panic to gain back control of Mariposa, botmaster Netkairo (aka “hamlet1917″), made a connection to the network using his home computer. Past connections had almost always been through a VPN (virtual private network) to mask IP addresses from the authorities. Netkairo’s mistake left a digital trail for investigators to follow, which then led to a string of arrests two months later.
In a press release today, Panda Security senior research advisor Pedro Bustamante tells us, “Our preliminary analysis indicates that the botmasters did not have advanced hacking skills.” It just goes to show “how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”
Defence Intelligence and Panda Security are making their way through a list of affected organizations to contact. If you would like to find out whether your organization has been compromised, email compromise@defintel.com or info@pandasecurity.com.
