Spanish police arrest Mariposa botnet ringleaders


Spanish police have arrested three men believed to be the masterminds behind one of the world's largest botnets.

The men are accused of running the Mariposa botnet, which is believed to have infected nearly 13 million PCs with a virus that stole credit card details and other data.

The Spanish Guardia Civil made the arrests after two internet security firms Canada's Defence Intelligence Inc and Spain's Panda Security SL were able to infiltrate the ring and shut it down just before Christmas.

By that point Mariposa the Spanish word for butterfly - had affected 12.7 million computers in 190 countries around the world, with victims including government agencies, schools, more than half of the world's 1,000 largest corporations and 40 per cent of banks.

The virus was programmed to take control of infected machines and record every key stroke made, sending the data back to Mariposa's servers, where it was analysed to try and identify passwords, credit card numbers and other private information.

Mariposa first appeared in December 2008, and spread through removable USB drives, MSN Messenger and peer-to-peer networks. The virus helped the three ringleaders steal banking credentials and launch distributed denial-of-service attacks, though unlike with some other botnets they did not use it to try and sell fake security software.

It was first spotted in April last year, and was taken down on December 23 last year thanks to the efforts of an informal group of volunteers calling itself the Mariposa Working Group.

"It was so nasty, we thought 'we have to turn this off. We have to cut off the head'," said Chris Davis, chief executive of Defense Intelligence. Security experts believe the total cost of removing the program could run into the millions.

The three men known only by their web handles "Netkairo", "Johnyloleante" and "Ostiator" at this stage weren't skilled programmers, but had contacts who were. All three are Spanish citizens and have no previous convictions, according to Guardia Civil captain Cesar Lorenza.

"They're not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits. The most frightening thing is they are normal people who are earning a lot of money with cybercrime," Lorenza commented.

According to Panda Security, not only did the men use their network of infected PCs to collect data, they also rented them out to other hackers. One of the three was caught in possession of 800,000 personal credentials. They each face up to six years in prison if convicted.

However, security experts warn it is likely that more than three people were behind Mariposa, and the network could easily be put back in place by others. "Mariposa's the biggest ever to be shut down, but this is only the tip of the iceberg. These things come up constantly," Mark Rasch, former head of the US Department of Justice computer crimes unit, told Reuters.