4. www.pandasecurity.com
Mariposa Working Group
Defence Intelligence
Panda Security
Georgia Tech Information Security Center
Neustar
Researchers who wish to remain anonymous
In collaboration with:
FBI
Spanish Civil Guard
4
5. www.pandasecurity.com
Some of the DNS domain names
observed as C&C servers:
lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi
butterfly.BigMoney.biz
bfisback.sinip.es
qwertasdfg.sinip.es
5
8. www.pandasecurity.com
Timeline
December 21st 2009
Spanish LE visit to CDMON (Spanish ISP)
December 23rd 2009
All C&C domains pointed to sinkhole:
Cdmon, ChangeIP, Directi, GetmyIP, DynDNS
December 24th 2009
New binary (2/24 @ VirusTotal) dropped.
8
9. www.pandasecurity.com
Staying undetected…
9
The botnet operators used
Swedish VPN providers in order
to avoid physical detection.
The sinkhole caused the main
botnet operator to panic and
connect to the infrastructure
using his home DSL connection.
10. www.pandasecurity.com
Panic at the disco!
C&C sinkhole panic allowed us to trace the
botnet operators Internet connection back to
Spain.
Spanish LE visits ISP to retrieve DSL customer
information
Time to make some arrests!
10
11. www.pandasecurity.com
MWG: Let’s move on the arrest!
Spain LE: Not so fast!
Law enforcement roadblocks:
Owning a botnet is not illegal in Spain
Spanish law protects criminals
Forensic skills are not up to par
11
12. www.pandasecurity.com
Timeline
January 22nd 2010
Bot master bribed CDMON tech support to
recover booster.estr.es for €500.
January 25th 2010
Bot master launches DDOS against Defence Intelligence
sustained 900MB/s traffic
February 3rd 2010
Bot master arrested at home by Spanish Civil Guard
12
14. www.pandasecurity.com
Stolen Credentials
• Personal information from over 1,000,000 victims
Credit Cards
Social Security numbers
Bank Accounts
Intranet credentials
Data from universities, banks, + half of Fortune 1000 companies
14
What did we uncover after the arrest?
20. www.pandasecurity.com
Timeline after initial arrest
February 10th 2010
Butterfly.bigmoney.biz recovered by Mariposa.
Moved C&C servers to Israeli & Chinese domain
registrars.
February 24th 2010
Ostiator & JonnyLoleante arrested
March 3rd 2010
Mariposa Final Takedown
20
28. www.pandasecurity.com
P2P – Strengths and Weaknesses
28
Low chance of infecting corporate
networks (perimeter blocking)
High chance of infecting home networks
(piracy)
APAC region had a high concentration of
infections. High risk due to rampant piracy.
65% of software is pirated in India according to
Business Software Alliance Study:
http://bit.ly/bLlN06
30. www.pandasecurity.com
USB – Strengths and Weaknesses
30
High chance of infection in corporate networks
USB enabled by default in most
organizations
Working from home introduces threats into
the workplace.
High chance of infection in home networks
We use USB devices every day
Knowledge of USB threat vector low
33. www.pandasecurity.com
MSN Messenger – Strengths and Weaknesses
33
Moderate chance of infection in corporate networks
Sometimes used for interoffice communication
31% of businesses use instant messaging according to Nielson
High chance of infection in home networks
40% of home users use instant messaging according to Nielson
MSN usage ranks high in most affected countries
Unique social engineering capability
35. www.pandasecurity.com
Exploit kits– Strengths and Weaknesses
35
Moderate chance of infection in corporate networks
Operating system updates are most likely enforced via policy
Non system software updates are most likely not enforced via policy
Antivirus software installed by default
High chance of infection in home networks
Operating system updates not always installed.
Non system software updates are almost never installed (unless forced)
Antivirus software may not be installed
50. www.pandasecurity.com
How much money were they earning?
10,000€ / month (around each 3,000)
Ads
Pay per click
Renting portions of the botnet
Post data grabber (stealing credentials)
50
68. www.pandasecurity.com
Lessons Learned
Just shutting down botnet C&C’s does not stop the bad guys.
Arresting the bad guys doesn’t stop them either
Signature based Antivirus detection isn’t good enough. Signatures
can take weeks to develop.
Cyber legislation needs significant improvements to adapt to the
current threat landscape situation
Communication with law enforcement is often one-way and
difficult, but results are better than simple shutdowns.
68