Mariposa might be Russian
- 04 June, 2010 12:46
Security expert Eugene Kaspersky thinks the world’s biggest botnet, Mariposa, was crafted in Russia and its designers will escape scot-free.
The Mariposa botnet is thought to have controlled some 13 million infected machines, which it used late last year to steal credit card details, social networking passwords and other online account information.
Spanish authorities arrested three men in connection with Mariposa in March using information supplied by volunteers in the informal Mariposa Working Group. The group disabled botnet’s command-and-control servers on 23 December.
Russian-born Kaspersky said the botnet “looks and smells like it was made in Russia”.
“Mariposa has a way about it that I believe says it was made in Russia,” Kaspersky told Computerworld Australia.
“In Russia you can buy a botnet and they will demonstrate it for you before you pay.
“I think [the three arrested men] did not know much about botnets. They just bought it and followed instructions.”
Kaspersky said botnets are “out of control” in Russia. He said they said used by local businesses to attack rival companies and by criminals to launch international attacks.
He said small lines of code can be entered into a botnet’s script to prevent it from acquiring Russian computers for international attacks, which lowers the chances of a local police investigation.
“Even if they discover [Mariposa] is Russian, the designers will not be caught,” Kaspersky said. “This happens all of the time.”
Kaspersky Labs has built a laboratory to defend against Denial of Service (DoS) attacks in Russia.
The laboratory, which opened last month, will offer defence services for businesses and government agencies affected by DoS attacks.
Co-founder Eugene Kaspersky said he hopes to offer the services internationally but does not have immediate plans.
“There is a great need for protection against DoS,” Kaspersky said.
He was coy on whether so-called passive-aggressive defences — essentially DoS counter attacks — would be used, and nodded to the grey-area legality which could find a defender convicted for cybercrime.
Speaking at AusCert 2010 last month, SecureWorks malware researcher and group member, Joe Stewart, said Australian businesses affected by DoS attacks can turn to an informal group of security experts for help.
But he said the DoS defenders may face legal persecution for launching what he says are essential retaliatory attacks.
Stewart and Kaspersky said DoS defence requires a deft eye for detail that can spot a misplaced capitalisation or syntax and can take years to acquire.
“As a victim, you have to identify the IP address that is attacking you. For Tarpitting (a defence against HTTP-based DDOS attacks), set your TCP/IP window size to zero [which] means the attacker will keep resending un-acknowledged packets and will be stuck in a loop. The overall effect is that traffic reduces more using tarpits than if you drop it and don't respond,” Stewart said.
"When we drop packets, the CPU load of the bot is constant and the bot can handle it. But when we used tarpits, and the packets waited, the CPU usage of the bot went up 100 per cent so the bot became almost unuseable - you could call this a passive-agressive defence, and it is very effective."
Stewart said victims of DDoS attacks can find the group experts mentioned in news articles covering the attacks, and through social networks within the industry.