A Canadian company has helped dismantle a massive computer-infiltration ring that infected more than 15 million computers around the world – including systems within Canadian banks and the federal government.
Spanish police have arrested three people charged with running a botnet – a program that infects and partly takes over victims' computers – that spanned some 190 countries. Not only is the botnet (named Mariposa, Spanish for butterfly) one of the largest of its kind, the software's operators appeared to target government and corporate computers, stealing huge amounts of sensitive data.
“Mariposa really stood out because it was growing at such a rate,” said Chris Davis, founder and CEO of Defence Intelligence, an Ottawa-based information security firm that helped track and ultimately disable Mariposa. “If you run down the list of Fortune 1,000 companies, you're talking about a 65-per-cent infection rate.”
Like most botnets, Mariposa was instructed to infect computers and then use a Web connection to communicate with its authors, who could then issue commands and steal information such as credit-card numbers and passwords from the infected computers. Among the victims were banks and government offices around the world, offices of the leaders of several Asian countries and about one million computers in Iran alone, Mr. Davis said.
It really blew us away. — Chris Davis, CEO of Ottawa-based Defence Intelligence, on the scope of the recently dismantled botnet
Canadian corporate and government infrastructure was also hit. Non-critical systems at major Canadian banks were infected, as were some government computers, Mr. Davis said. Defence Intelligence notified Ottawa and the banks early on, and the infections were wiped out.
Defence Intelligence first identified Mariposa last May. The botnet got its name because it was designed using the Butterfly botkit, a piece of software that was at one time for sale on the Internet black market for about $1,000. The software is not especially difficult to use, and the three people arrested are described as having limited computer skills.
Defence Intelligence eventually enlisted the help of multiple partners, including the Georgia Institute of Technology and the Spanish company Panda Security. The FBI and the Spanish Guardia Civil also joined the investigation.
Botnets generally work by contacting one or several Web domains owned by the malicious software's creator. In December, security experts simultaneously blocked all the Mariposa domains, redirecting them to their own servers. That's when they were able to take a detailed look at the vast number of corporate and government computers infected.
“That's when we started to get granular visibility” of the botnet network, Mr. Davis said. “It really blew us away.”
Spanish police believe the botnet managed to retrieve the personal information of more than 800,000 users.
So far, the three people arrested have been identified only by their Internet usernames: netkairo, johnyloleante and ostiator. The break in the case came when netkairo – while trying to regain control of Mariposa from the security experts – attempted to access the botnet from his home computer, leading police to his door. He was arrested in February, and the information on his computer led to the other arrests.
Although Mariposa has been rendered relatively impotent, the botnet continues to expand. Of the 15 million or so infected computers, about half are from the enterprise world, and half are individual home computers.
Mr. Davis said the toughest part of fighting such botnets is alerting the millions of people, companies and government offices whose computers have been compromised.
“There isn't a good way to distribute that information outside North America and Western Europe,” Mr. Davis said. “Even there, I can contact companies, but what do I do about my mom's computer in Squamish?
“There isn't a mechanism in place. There really needs to be.”
