More arrests are expected

Jul 28, 2010 13:37 GMT  ·  By

The main developer of the malware behind the Mariposa botnet was arrested in Slovenia a few days ago by the Slovenian Criminal Police. According to people familiar with the investigation, more arrests are expected in connection with this criminal operation.

Mariposa ('butterfly' in Spanish) was one of the largest botnets in history, which at its peak counted as many as 12 million infected computers spread across 190 countries. The malware behind the botnet is known as Palevo or Rimecud and spreads using a variety of methods including exploiting several Windows vulnerabilities, copying itself to removable storage devices and network shares, or sending itself over instant messaging (IM) and p2p file-sharing applications.

Palevo-infected computers join together to form botnets, which can be controlled from Internet Relay Chat (IRC) channels and ordered to perform malicious actions including launching denial of service attacks. Back in March, with assistance from the FBI, the Spanish Civil Guard arrested three hackers, known as Netkairo, jonyloleante and ostiator for operating the Mariposa botnet.

Data captured during the raids in Spain led authorities to Slovenia, from where Mariposa-leader Netkairo apparently acquired the Palevo variant used to create the botnet. Last week the Slovenian Criminal Police arrested several people for their roles in creating the malware, including a 23-year-old hacker known as Iserdo, who is believed to be the lead developer behind it. According to local reports, Iserdo was cuffed in the city of Maribor, but was later released on bail.

Luis Corrons, a security researcher at Panda Security, explains that Palevo, which its creators called the “ButterFly Flooder” (BFF), was being sold to other hackers for between 350 and 1100 euros depending on the modules it came preloaded with. The possibility of manually selecting the desired components and paying for each of them individually was also available.

[...] This is not over. The Guardia Civil is still trying to arrest more people regarding the Mariposa botnet. And Iserdo has been selling the bot to different people, who are creating new botnets (as the one with the 'Vodafone Incident'),” Mr. Corrons, who is familiar with the investigation, commented.

You can follow the editor on Twitter @lconstantin