FBI and Interpol trapped the world’s biggest Butterfly botnet

How the FBI and Interpol trapped the world’s biggest Butterfly botnet

The biggest criminal botnet ever identified, with millions of enslaved computers in 172 countries, now has a name of its own – and embedded within the software that created it are the names of its criminal bot masters.

The world’s biggest criminal botnet, that has enslaved tens of millions of computers across 172 countries, now has a name: “Metulji,” Slovenian for “butterfly.” But even this monster butterfly could get netted.

Earlier this month, the FBI and Interpol conducted “Operation Hive,” which resulted in the arrests of two Metulji operators in Bosnia and Slovenia.

But that may be just the beginning. Despite its mammoth size, the Metulji botnet has an Achilles heel that law enforcement and cyber security experts are exploiting: its criminal creator kept meticulous records of his customers.

RECOMMENDED: Epsilon security breach: 5 signs it’s only the tip of the iceberg

Cheap to build, botnets are a stealthy, anonymous, nearly ideal criminal platform for Internet attacks against company websites. But they are even better at quietly stealing bank logons, passwords, credit card numbers, and social security numbers, says Karim Hijazi, CEO of Unveillance, the Wilmington, Del., botnet tracking company that discovered Metulji.

“We’re already pretty sure this botnet has stolen credentials that resulted in thefts totaling in the millions of dollars,” says Mr. Hijazi. “We still don’t know how many computers are part of this botnet yet. But we expect to have a pretty good idea before long.”

The creator of the sophisticated software kit – who made his money by selling it to those who wanted to build their own botnets – kept careful track of his customers’ criminal nicknames, Mr. Hijazi says. His “Butterfly Bot Kit” was also used to create the infamous Mariposa botnet, another gigantic botnet that at one point in 2009 had 12 million computers in 100 nations under its spell.

Just two years later, Mariposa has been neutralized by law enforcement – in large part by tracking down the purchasers of the software.

“The key here is that during the Mariposa case we discovered the licensing mechanism inside the Butterfly framework,” says Luis Corrons, technical director of Panda Labs, whose company is assisting in the analysis of the new botnet. “These licenses are in the form of bot master nicknames, which are … tied to the sales made to all bot masters who purchased a Butterfly botnet.”

The Metulji botnet was created with a more advanced version of the Butterfly Bot Kit – but it, too, keeps purchase records. Since the Butterfly framework creator was arrested and his computers confiscated, it is “safe to assume” that law enforcement has “very good insight into who is running ANY Butterfly-based botnet out there,” Mr. Corrons writes in an e-mail

Oddly, despite a number of Mariposa-linked arrests last year in Spain and Slovenia, bot masters are still depending on the Butterfly framework to run their Metulji botnets.

“Obviously, those bot masters are either not concerned about going to jail or just plain stupid,” Corrons adds.

LulzSec claims new international hacking victory

Image via Wikipedia

LulzSec claims to have brought down two Brazilian government websites in fresh attacks after a 19-year-old teenager from Essex was arrested, accused of being part of the hacker group.

In a tweet in the early hours of Wednesday morning, LulzSecBrazil wrote: “TANGO DOWN brasil.gov.br & presidencia.gov.br”

Another Twitter message from the main LulzSec page then added: “Our Brazilian unit is making progress. Well done @LulzSecBrazil, brothers!”

The websites are the official pages of the Brazilian Government and the President’s office, the equivalent of the Downing Street site.

Attempts to access the websites this morning proved unsuccessful and the attacks appeared to have swamped the pages with internet visits, causing them to crash.

The Brazilian government has become the latest high-profile victim claimed by LulzSec in a list which has allegedly included the CIA, the US Senate, the US television broadcaster PBS, Britain’s Serious and Organised Crime Agency and the technology firms Sony and Nintendo.

Related Articles

• Teenage loner held over global ‘hacking’ claims

  22 Jun 2011

• Lulzsec hacking: a timeline

  21 Jun 2011

• What information is in the database?

  21 Jun 2011

• File-hosting service leaves 25m users’ accounts unlocked

  21 Jun 2011

• Hacking: the risks to internet users aren’t going away

  22 Jun 2011

• Fears for patients’ data after NHS hack

  09 Jun 2011

If the claims are accurate, it would not be the first time that LulzSec has reacted hard to attempts to damage it.

Yesterday, the group posted the private details, including the home addresses, of one hacker and his associate who “tried to snitch on us”, accusing the hacker of “countless cybercrimes”.

Addressing the post to the “FBI & other law enforcement clowns”, they signed off: “There is no mercy on The Lulz Boat. Snitches get stitches.”

Our Brazilian unit is making progress. Well done @LulzSecBrazil, brothers!less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

 

The 19-year-old arrested in the UK on Monday night is Ryan Cleary, the son of a college lecturer. The teenager is accused of being a “major player” in LulzSec.

He was held in a raid at his family home in Wickford following a joint investigation between Scotland Yard and the FBI, which was also aimed at finding the hackers who breached security at the video games firms.

No messages were posted on the Twitter account of LulzSec for about 10 hours after the arrest before two denials came.

One read: “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us. Lame”

Another read: “Seems the glorious leader of LulzSec got arrested, it’s all over now… wait… we’re all still here! Which poor b—–d did they take down?”

It was alleged last night that Mr Cleary was online in the middle of hacking when he was held. The arrest came hours after an anonymous internet user claiming to be from LulzSec threatened to publish the entire 2011 census database, though this was later dismissed as a hoax. A Scotland Yard spokesman said a “significant amount of material” had been seized from Mr Cleary’s family home by officers from its specialist e-crime unit, and would now be subjected to forensic examination.

Mr Cleary’s family expressed disbelief that the self-confessed computer “nerd” had anything to do with hacking. His mother Rita, 45, said her son “lives his life online” but she thought he had been playing computer games in his bedroom at the detached family home.

She added that, as he was led away by police, he told her he feared he would be extradited to America.

His older brother Mitchell, 22, said: “Ryan is obsessed with computers. That’s all he ever did. I was stunned to hear he had been arrested.

”He’s not the sort of person to do anything mad or go out and let his hair down or do anything violent. He stays in his room – you’ll be lucky if he opens the blinds, but that’s just family, isn’t it? I barely see him – I’m more of a football person – he’s more of an inside person.”

He said his brother had fallen out with people over WikiLeaks: “He used to be part of WikiLeaks and he has upset someone from doing that and they have made a Facebook page having a go at him.”

James Rounce, a neighbour of Cleary, said: “They moved in about 10 years ago and have been pleasant neighbours. I think he had been away at university and had come back for the holidays or because he had finished his exams. You could tell he was very bright just from the way he spoke and presented himself.”

Mr Cleary’s father Neil, 44, worked as musical director on the West End production of the Andrew Lloyd Webber musical Starlight Express. He later became a lecturer at Peterborough Regional College in Cambridgeshire and director of its orchestra. Nick Stamford, a former classmate of Ryan Cleary, said: “He used to spend a lot of time at home and that is when I think he got into computers. He was quite bright but he didn’t really have too many friends.”

LulzSec has emerged in recent weeks as a rival to the hacking group Anonymous, which targeted banks that had refused to process donations to the WikiLeaks website.

The organisation claimed credit for hacking into the accounts of Sony PlayStation users. On Monday it bombarded the website of the Serious and Organised Crime Agency with so much internet traffic it had to be taken offline.

Mr Cleary’s arrest is likely to lead to comparisons with the case of Gary McKinnon, the 45-year-old Briton fighting extradition to the United States, where he could face 60 years in jail if convicted of hacking into Pentagon and Nasa computers.

 

La web de la CIA, sin servicio tras un supuesto ciberataque

Image via Wikipedia

El grupo de ‘hackers’ Lulz Security reclama la autoría del suceso.- Ofrecen un número de teléfono para que los ciudadanos sugieran sitios a atacar.- Anonymous asalta más de 50 webs de Malasia.

El grupo de piratas informáticos Lulz Security ha asegurado, a través de un mensaje en Twitter, que ha atacado en la noche del miércoles la página web de la CIA, que estuvo caída durante unos momentos. Los hackers son los mismos que en el pasado se han atribuido ataques a las páginas del Senado de Estados Unidos, Sony y la televisión pública estadounidense. Un portavoz de la Agencia de Inteligencia ha declarado que estaban estudiando el mensaje de Lulz.

Analistas de seguridad han restado importancia a los ataques de Lulz alegando que el grupo de piratas informáticos están buscando llamar la atención. Lulz no ha colgado en Internet, como si hizo cuando atacó la del Senado, pruebas de tener información relevante proveniente de la página de la CIA.

A pesar de que Lulz Security se presentan más bromistas y activistas que como un grupo con intenciones ilegales, sus miembros han sido acusados de quebrantar la ley y el FBI los está buscando. El grupo, que también ha atacado los sistemas de Nintendo, aseguró en su página de Internet tras atacar la página del Senado que entró en el servidor para poner en evidencia los problemas de seguridad de la red.

Teléfono y Anonymous

La última ocurrencia del grupo, que reivindica sus acciones por sentido del humor ha sido publicar un número de teléfono, cuyo prefijo es del estado de Ohio, para que los ciudadanos escojan sitios que quieren que sean atacados. El número ofrece un buzón de voz para dejar el encargo ya que quienes lo atienden, dos personas con nombre francés, aseguran estar ocupados en sus locuras. Luis Corrons, de Panda Labs, considera que el suministro de un número de teléfono es una propuesta excéntrica porque podrían proponer recibir las sugerencias a través de Internet. No se descarta que la propuesta de un número telefónico tenga el propósito de saturar alguna línea a la manera de una denegación de servicio.

Además de la CIA, Lulzsec es el autor de ataques de denegación de servicio a servidores de sitios de entretenimiento como Eve Online, Minecraft, Legue of Legends y Escapist Magazine. La acción se ha hecho bajo el nombre de #TitanicTakeoverTuesday.

Por otra parte, Anonymous ha atacado esta madrugada más de 50 sitios del Gobierno de Malasia en represalia por haber censurado Wikileaks y sitios de descargas.

Entre las instituciones afectadas están los sitios del Gobierno, el Ministerio de Información, el servicio de bomberos y la autoridad de transporte.