Arrests made in "Mariposa" botnet that infected 13 million PCs

AP reports that authorities in Spain have cracked one of the biggest botnet rings in history, with three arrests made and more coming. The so-called Mariposa botnet appeared in December, 2008: "a data vacuum that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs," affecting "half of the Fortune 1,000 companies" and more than 40 major banks, according to investigators.

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: Technology

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

SamSam

The article claims that the 13 million computer-strong botnet has been “dismantled.” How exactly do they know that?

Most likely they seized the main computers that deal with all the incoming data and send the outgoing control messages, which may do the trick, but can they know it for sure? The software, surely, is still on those 13 million computers.

If I remember correctly, researches often have a very hard time working out all the intricacies of what a well-designed virus can actually do to a computer. The designers do an awful lot of obfuscating to hide all the virus’s capabilities. Is it not possible that, without further instructions from the zombie master, all the computers will start communicating with a brand-new IP address instead — one that hadn’t even been connected when the authorities “dismantled” the net?
Antinous / Moderator

It should be illegal for anyone who doesn’t have a degree in computer science to own or operate a computer. Problem solved.
Antinous / Moderator

Why are we talking about vaccinations?
- Ito Kagehisa
  
  Because I’m too unimaginative to come up with a better illustration of the social contract, basically. Help me out here Antinous?
  
  Axiom1: Botnets can be commanded.
  Axiom2: Individual zombies can be commanded to do anything that and uninfected PC can do.
  Axiom3: PCs can format their hard drives.
  Axiom4: Botnets cause problems.
  
  Proposition: Should botnets be commanded to self-destruct, wiping their hard drives and thus removing the problems?
  
  Anology: Some things can harm individuals, but benefit the group. Some such things actually reduce the total number of individuals who are harmed (vaccinations).
  
  We don’t pay attention to people who die from vaccines (although it happens every year) because overall the vaccines save lives – for society, it’s a good deal, even though it’s presumably a bad deal for you if you’re one of the few that ends up 100% dead.
  
  Should someone nuke the zombie PCs? It can be done. The 60% of people on comcast who are infected will scream bloody murder, but very few people will be actually harmed, they will just be inconvenienced when they lose their address books, bank records, porn, etc. etc. etc. Would it be worth it?
  
  I tend to think yes (although honestly I’d rather the big ISPs would just quarantine the zombies instead).
Anonymous

This whole reformatting a hard drive of zombie computers is utterly stupid.
1) It cannot work even if it was made a law to do so.
2)someone breaks into your home steals your jewlry but drops by accident jewlry stolen from the neibors house.
Is the homeowner guilty of recieving stolen property?
If someone steals my car and gets ina accident am I responsible?
Hold criminals accountable not victims.
However having your internet account frozen until your computer stops spamming the world is a good start.
Computer id frozen out of all networks until computer is validated as being zombie botnet free is better yet.
Burning down someones house because the neibors dog brought flees over is just a little over the top don’t you think?
DeadWriter

“Zombie” computers get instructions from control computers or peers with in the network. They have to relay their data, so likely, what they did was exploit this and instruct the covert software to either stop working or to point to a non-working or invalid IP address. It the software was able to update it’s self, they could also have loaded a package that makes part or all of the program inert or even delete it’s self.
thebelgianpanda

You don’t have to nuke zombie PC’s to dismantle a botnet. PC’s removed from a current botnet that haven’t been reformatted are still a danger, but no security professional would ‘nuke from orbit’ a zombie without prior written consent. Doing otherwise is jail time man.

Taking out/impersonating C&C’s is a different story.
Ito Kagehisa

Perhaps the botnet should have been “dismantled” by sending commands to the zombies instructing them to delete their entire hard drive contents.

It would be on the same principle as child vaccination; your own PC/child might get damaged or destroyed, but society as a whole would certainly be stronger. A brutal education for zombie owners, who will otherwise just join a different botnet within the month.

I’m on the fence about this, personally. When does the good of the society justify such actions? Nearly everyone agrees that psychopathic murderers should have their freedom limited for the good of society, but some people believe that requiring vaccination is going too far. On which side of the line does destroying botnets fall?
dculberson

Losing records, family photos, contact information, etc. is actual harm. Nuking the zombies is not an option – especially, as thebelgianpanda points out, it’s illegal. Performing an illegal action to achieve a desirable result is still illegal. The better option is rendering the zombies harmless.

The people that own the zombied computers are not really to blame, they were sold an appliance that does not perform acceptably. Punishing them is not a good option.
- Ito Kagehisa
  
  But the zombie owners are aiding and abetting criminals who cause harm in excess of simply losing data. The fact that zombie owners are comitting crimes without knowledge argues that they should be given a wakeup call.
  
  And honestly, if wiping a hard drive is going to cause problems for someone, those problems were inevitable, because all hardware fails eventually and that person must not be keeping backups.
  
  The best solution would be the easiest and simplest; the big ISPs use their existing equipment to VLAN out infected machines (they are trivially easy to detect and react to given the resources of verizon, comcast, rogers, etc.) so that they can’t harm others. Unfortunately, this solution is being prevented by greed and incompetence.
  
  Nuking zombies is an option. I know this guy, a friend of mine, who could nuke at least two of the big botnets. Maybe more with some research. The question remains, should it be done? Thank you for your reponse, dculberson!
  - SamSam
    
    I know this guy, a friend of mine, who could nuke at least two of the big botnets. Maybe more with some research.
    
    Uh huh. Also, I have a friend who could totally crack the passwords to all the Russian nuclear launch codes, if he decided that it really should be done. Really, he told me.
SamSam

Sorry, but the analogy is ridiculous. No doctor or scientist gives children vaccinations believing that the child will be damaged but that it’s for “the good of society.” Rather, all the evidence show that the child’s risk without the vaccine is many many times greater than the risk of the vaccine. This would be true even if there were no further good. And how did we turn this into an anti-vaccination discussion?

Anyway…

@DeadWriter: To continue to explore the possibilities, however, even if they instructed the zombie computers to start visiting a dead IP address for their daily check-ins, can they be sure that there isn’t another piece of the code that is instructed to check a different IP address once a year, say? This would be for precisely this occasion: botnet master is down due to police action, but within a year it will be checking an IP address that isn’t even up yet?

It may sound unreasonable, but were they ever even able to crack which IP addresses the Conficker worm will check next? As far as I know, they haven’t, so that botnet is still completely active.
- Ito Kagehisa
  
  I am not anti-vaccination, my kids are vaccinated against quite a number of diseases. Please don’t leap to unwarranted conclusions. Perhaps you can come up with a better comparison? Because if you can’t, I’m going to run with this one.
  
  I think you are implying that “it’s not a good comparison because while doctors know a very small percentage of children will be harmed by vaccinations, wiping the hard drives of zombie PCs will harm 100 percent of them.” Right?
  
  I disagree. The percentage of people who would be physically harmed by wiping the zombie PCs might well be less than the percentage of people physically harmed by vaccines; in both cases, it’s a very small number. Just as vaccinating children decreases the overall number of children harmed by disease, wiping the drives of zombie PCs would certainly decrease the overall number of computer owners harmed by botnets.
  
  A great number of people would be inconvenienced if we cleaned up the Internet by killing the botnet zombies. I am inconvenienced by having to vaccinate. Some people say, “so what? Kill the disease!” Can we discuss botnets in that light? Is it legitimate to kill off the boxes of people who cannot secure them, since the big ISPs refuse to put them in quarantine where they belong?
  
  Got any better analogies yet? I almost said “leper colonies” instead of “quarantine”, and I’m sure that would have triggered somebody.