Wilmington, DE (PRWEB) June 28, 2011
In early June, eastern European news outlets reported that a law enforcement task force investigation resulted in the arrest of two men charged with stealing several hundred thousand dollars while running a massive network of compromised computers known as a botnet. “Operation Hive”, a joint operation between the FBI, Interpol, the Serbian Ministry of Internal Affairs and the Slovenian Police lead to the arrest of two suspects.
Unveillance, a data leak intelligence firm, has been studying this botnet for several months and reports that there are affected individuals and corporations in at least 172 countries, including the United States, Russia, Brazil, China, Great Britain, India and Iran. The malicious software (malware) at the heart of this investigation is the Butterfly Bot Kit, also known as Palevo, Pilleuz or Rimecud. This is the same software that was used to infect the millions of computers in the Mariposa botnet. Based on intelligence gathered from its network of global sensors, Unveillance estimates that this botnet is larger than Mariposa.
Although a few of the domains used to control the botnet have been suspended, Unveillance has discovered that several domains remain live and are actively harvesting information stolen from victims with infected computers. At this time it is unknown if law enforcement agencies are aware of the remaining active domains and it is possible that there are other individuals controlling these domains who have not yet been arrested in conjunction with this investigation.
Unveillance researchers Matt Thompson and Meaghan Molloy have reunited with their former Mariposa Working Group partner, Panda Security, to collect and analyze several thousand unique variants of malicious software associated with this botnet. Butterfly Bot is polymorphic malware that spreads via removable drives such as USB keys, making it very difficult to contain and remove from a network. Companies and individuals infected with Butterfly Bot often finds themselves in a perpetual cycle of reinfection. It is the ease with which this type of malware can spread that enables botnets to grow to such an immense size.
Unveillance reports that using Butterfly Bot to infect computers, the suspects allegedly stole personal information as well as bank account credentials from individuals and corporations worldwide. The FBI’s inclusion means it is likely that American accounts are also affected.
According to Unveillance, one of the alleged masterminds made little attempt to cover his tracks and used the same email address to register several domains used to control this botnet. In some instances the suspect also used his real name and an address in Banja Luka, other related domains were registered under different names and addresses. Eastern European news outlets refer to one of the suspects as a “computer genius” and allege that he has previously been arrested for cybercrime. One of the suspects had apparently been enjoying his newfound wealth, having recently purchased a luxury apartment and several cars worth around 75K USD each. The second suspect appears to have lived a quieter life in a rented apartment with his wife. Reports indicate that during the arrests police seized computer equipment and illegal firearms.
“In the wake of the recent LulzSec antics, it is surprising that this story has not yet attracted the attention of any English language newspapers,” says Karim Hijazi, CEO of Unveillance. “When justifying their actions, the members of LulzSec were quick to point out that there are many more criminals at work in the world, most of whom don’t send out tweets every time they violate personal and corporate networks.”
Unveillance has developed the first Software-as-as-Service (SaaS) Data Leak Intelligence Platform. Leveraging completely passive monitoring, without the use of any on premises hardware, software or agent install, our platform is able to assess whether an organization, country and/or government’s network is actively compromised by advanced persistent threats (APT) and thus participating in a botnet infrastructure at a 100% zero false positive rate. The intelligence platform is able to provide metrics on severity, frequency and scope of infection as well as display successful remediation efforts via a unique rating system called the DLI (Data Leak Intelligence) Score. http://www.unveillance.com