Botnet of almost 13 million compromised computers shut down following international law and security intervention

News by Dan Raywood

An international botnet of almost 13 million compromised computers has been shut down following an international investigation.

An international botnet of almost 13 million compromised computers has been shut down following an international investigation.

The Mariposa botnet was announced as having been shut down yesterday, and three suspected criminals nicknamed ‘Netkairo' and ‘hamlet1917', as well as his immediate botnet operator partners, ‘Ostiator' and ‘Johnyloleante', were arrested by Spanish law enforcement.

Mariposa stole account information for social media sites and other online email services, usernames and passwords, banking credentials, and credit card data through infiltrating an estimated 12.7 million compromised personal, corporate, government and university IP addresses in more than 190 countries. The botnet was shut down and rendered inactive on December 23rd last year.

It was first discovered by Defence Intelligence. Its CEO Christopher Davis said that it would be easier for him to provide a list of the Fortune 1000 companies that were not compromised, rather than the long list of those that were.

Following its discovery around May 2009, Defence Intelligence along with Panda Security and the Georgia Tech Information Security Center spearheaded the Mariposa Working Group as a collaborative effort with other international security experts and law enforcement agencies to eradicate the botnet and bring the perpetrators to justice.

After analysing the main command-and-control servers, the Working Group was able to facilitate the coordinated worldwide shutdown of the Mariposa botnet on December 23rd. Panda Security is currently leading a comprehensive analysis of the malware, as well as coordinating international communication among other anti-virus companies to ensure that their signatures are updated.

Pedro Bustamante, senior research advisor at Panda Security, said: “Our preliminary analysis indicates that the botmasters did not have advanced hacking skills. This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss. We're extremely proud of the coordinated effort made by all of the Mariposa Working Group members and the speed at which we were able to bring down this massive botnet and the criminals behind it.”

Panda's preliminary analysis concluded that once a user was infected, the botmaster installed different malware (advanced keyloggers, banking Trojans such as Zeus, remote access Trojans, etc.) in order to gain additional functionality into the zombie PCs.

It also found that the botmaster made money by selling parts of the botnet, installing pay-per-install toolbars, selling stolen credentials for online services and using the stolen banking credentials and credit cards to make transactions to overseas mules.

The Working Group has officially seized control of the communication channels used by Mariposa, effectively severing the botnet from its criminal creators. In an apparent act of retaliation, a distributed denial-of-service (DDoS) attack was initiated against Defence Intelligence shortly after the botnet was shut down in December. The attack was powerful enough to impact one large ISP, many of whose customers were knocked offline for several hours.

Juan Salom, commander of the cyber crime unit of the Guardia Civil, said: “Once again, the coordinated efforts of various international law enforcement agencies and Spain's Guardia Civil, together with the internet security industry, have been able to tackle the global threat of cyber crime.”

Mel Morris, CEO of Prevx, welcomed the news, but said that the shutdown was a drop in the ocean when you consider the sheer number of criminals out there constantly launching a variety of attacks on banks.

He said: “What this case, which affected nearly 13 million computers in 190 countries, does highlight is that despite having the most up-to-date anti-virus software installed, these threats can still be missed. Additionally, even when a perpetrator is found, bringing a case against them can eat up huge resources on the part of businesses and the justice system. Hence for criminals, the benefits of e-crime significantly outweigh the risks so they will stop at nothing to find chinks in the armour of PC security.

“To beat cyber crime, we need to acknowledge that a lack of centralised intelligence about new threats means that criminals can evade detection quite easily. We need to acknowledge the role centralised intelligence is playing in malware development and build defences around counter-intelligence. If we fail to act now, criminals will continue to reap the rewards while the industry merely bites at their heels.”

Davis concluded: “We will continue to fight the threat of botnets and the criminals behind them. We'll start by dismantling their infrastructure and won't stop until they're standing in front of a judge."

Defence Intelligence and Panda Security are attempting to contact affected organisations. To find out if your organisation has been compromised, contact or


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews