With control of an estimated 13 million compromised computers, the botnet shut down on the 3rd May and suspected criminals nicknamed ‘Netkairo' and ‘hamlet1917', as well as immediate botnet operator partners, ‘Ostiator' and ‘Johnyloleante', were arrested by Spanish law enforcement.
The botnet stole login details, as well banking credentials and credit card details in more than 190 countries. Among the companies involved with the detection and shutdown of the botnet was PandaLabs, who along with Defence Intelligence and the Georgia Tech Information Security Center spearheaded the Mariposa Working Group.
After the shutdown, the story took an interesting turn for PandaLabs' technical director Luis Corrons. Speaking to SC Magazine this week, he said that a few weeks later on the 22nd March on a Monday morning he was waiting for a Spanish journalist to arrive and walked past two men that he did not recognise who asked if he was Luis Corrons? They introduced themselves and told him their names and their aliases - ‘Netkairo' and ‘Ostiator'.
Corrons said: “I was shocked and thought what are they doing here, and I was worried that they wanted to teach me a lesson. Their business was Mariposa and it was shut down and one of the guys lived within half an hour of the labs, and the other further away so had to make a longer trip.
“They started talking about Mariposa so I was worried in case they wanted to kill me or cause some harm. We went to a meeting room and I didn't know if it was real or I was dreaming, or some sort of joke. They started talking and I asked them what they wanted, they said that they didn't know how to programme but know things that can benefit and help us, and they wanted to work for Panda.”
Asked how they were able to get access into the building, Corrons said that there is a security man on the door who knew that he was waiting for a journalist to arrive that morning, and having told reception that they wanted to talk to me they were allowed in.
Continuing with his story, Corrons said: “I looked at their CVs but there was not enough experience and only a few sentences on the CV so little text, I said okay you know you are behind Mariposa but it is not right to be working for a security company.
“I said it was not a good idea and I didn't have the final word and I would have to speak to management, and I said I would let them know. I told the guys in the lab and they couldn't believe it, then I saw two emails and that they were following me on Twitter.”
A few days later he said that he got a message on Twitter that said ‘don't forget us and give us a second chance' – which was written in English, with two comments on a PandaLabs blog, which he did not pay attention to.
He said: “A few weeks later in the labs I was talking about the guys and my phone rang and it was the switchboard, and they said that it was a guy who claimed that I knew him, and it was ‘Netkairo'. He said he was expecting a call or email as a response about him working here, and I couldn't believe it.
“The next day ‘Netkairo' came to see me again. I told him that we were not going to have them, there was no way we would hire him. He said that he had not been charged, but I said that he was involved and that was a problem, he said that no one knows and no one will realise.
“He got annoyed, saying that they are behind the bot but didn't create it and just bought it. They said that they did not programme it but it was their idea and someone developed it for them.”
Corrons said that he also told him to tell ‘Ostiator' that neither was going to be hired. As ‘Netkairo' was leaving he told Corrons of some security vulnerabilities that he knew of in its free anti-virus, to which he commented that he would welcome the research, and if it was a real issue they would fix it.
“He was threatening and saying if we are not hiring he would not tell me what the vulnerability is,” said Corrons. He also saw that a few days later a blog was set up which said that there was a problem with the anti-virus, and he had posted a video of him typing.
Corrons said: “I didn't answer or send him a message, and a few days later he had posted a new blog with ‘the truth about Mariposa', saying that if a question was asked it would get a response, but a few hours later it was gone.
“A few more days there were some comments on our blog and I noticed he was still going on Twitter and he was sending me messages on Twitter. Then a few days later a new Twitter profile appeared called ‘Iuis Corrons' and people were following it, it had a link to a video with gay porn and some text in Spanish. Twitter acted fast and removed the account.”
Corrons claimed that the last Twitter message was on 3rd May. Following these incidents, he said that he recently got a comment in the PandaLabs blog, and suspected it was ‘Netkairo', but in previous comments he had identified himself but not this time. Corrons said: “I said ‘long time no see' as a response but there was no response and from that moment there was no news.”
Corrons said that in his last meeting with ‘Netkairo' he had said that Mariposa was initially a game, and when they started to earn money and the botnet got bigger they could not stop.
While telling me his story, one thing that struck me was Corrons' opinions on whether people such as these could be hired by a security company. This has previously been slammed by Rik Ferguson, senior security advisor at Trend Micro, who claimed that the appointment of ‘computer-savvy hackers – some of them still teenagers' to work in the Cyber Operations Command that was recently announced as a part of the UK Cyber Security Strategy, would be untrustworthy.
I asked Corrons if the botnet owners are tried and found not guilty, would he consider hiring them? He said: “Even if they were not criminals, no anti-virus company would have those guys as you can hire and find out that he was the wrong guy, no one will hire a criminal.”