Attacks/Breaches
7/8/2014
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Facebook Helps Cripple Greek Botnet

Arrests made in Lecpetex malware campaign that was spreading via Facebook, emails.

Facebook today revealed details of how it helped derail a little-known botnet operation out of Greece that was used to steal and mine digital currency and spread via Facebook and Lightcoin mining -- infecting some 250,000 machines worldwide.

Two of the alleged masterminds behind the botnet were arrested in Greece last week for their role in the so-called Lecpetex botnet. The attackers included malware in messages they sent to social network users -- including Facebook users -- which then spread the malware to the infected user's contacts as well.  Aside from mining digital currency via the bots, the attackers also stole email and bank account passwords, including the email address of Greece's Ministry of Mercantile Marine, according to a Greek press report.

Botnet takedowns and disruptions to date have mostly been Microsoft's territory, and many of these cyber criminal infrastructures are traced to Eastern Europe. But Facebook appears to have taken the lead on this one, which hails from Greece, working with Greece's Cyber Crime Division.

Disrupting a botnet's infrastructure is typically a temporary victory, security experts say, as determined cyber criminals will just set up shop elsewhere for their operations.

Facebook's Threat Infrastructure Team said in a detailed post today on the social media site:

Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name "Lecpetex" by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak.

Lecpetex launched more than 20 different spam runs between December 2013 and June 2014 and relied mainly on luring potential victims via social engineering ploys to run Java applications and scripts that were rigged with malware and infected their machines. Facebook said it contacted the Cybercrime Subdivision of the Greek police on April 30 of this year, which discovered that the alleged Lecpetex authors were setting up a Bitcoin service to launder stolen digital currency at the time of their arrest.

Most of the infected machines were in Greece, but Poland, Norway, India, Portugal, and the US also were big targets of the botnet.

Facebook researchers say the spam messages typically had simple lures like "lol" and a zipped attachment, which, when opened, executed the Java malware. That file then downloaded Lecpetex's main malware file that would allow the infected machine to receive commands to mine Litecoins, download and run the Facebook malicious spam, and download and run other malware -- including DarkComet RAT.

Source: Facebook
Source: Facebook

The Facebook team said:

Once we realized that traditional protections such as anti-virus products would not altogether remediate this threat, we began employing a range of efforts including working with other infrastructure providers and engaging law enforcement. Our team coordinated efforts and used automated tools to extract critical information from the botnet. Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation. All of these played an equally important role in our efforts.

The Lecpetex botnet didn't give up without a fight. In May, they began brazenly leaving notes to the Facebook team in their command and control servers: "Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."

Facebook, along with other partners it would not name publicly, in April began to take down Lecpetex's command and control servers and its distribution, testing, and monetization accounts. The social media firm in May launched other targeted disruptions of the botnet, and the botnet operators in June responded with a mass email campaign to infect machines after Facebook made it harder for the malware to spread on the social network.

Lecpetex also used antivirus evasion techniques, and malware delivery via Dropbox.

There were plenty of other creative aspects to the botnet operation. Facebook said:

Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control. One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.

Users who want to check their machines for Lecpetex infections can do so by visiting this page on Facebook.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 12:54:24 PM
Re: :)
@EffyE925 and @Kelly Jackson Higgins, I love how our comments field is driving new information about a breaking story. Great job both of you!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:36:29 PM
Re: :)
sent :D
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:24:22 PM
Re: :)
Thanks--would you mind emailing me? higgins@darkreading.com. Thanks!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:21:49 PM
Re: :)
Since they are already famous in Greece, if you'd like I can give you their lawyer's number for an interview or more information
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:20:00 PM
Re: :)
Yep they were released and charges were dropped since they stole nothing, euros or bitcoins. All they did was BTC mining. Here's is a translated version of a Greek website 

http://translate.google.com/translate?depth=1&hl=en&ie=UTF8&rurl=translate.google.com&sandbox=0&sl=auto&tl=en&u=http://www.secnews.gr/archives/80902
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:05:05 PM
Re: :)
@EffyE925 Are you saying the suspects were released? Are they still being charged? Can you please point me to information on this? Thanks!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:38:22 PM
Re: Good job
You are right ... Threat intelligence is becoming a crucial discipline to share data on incidents and cyber threats, allowing early detection and adoption of proper countermeasures.

Regards

PL
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:23:44 PM
Re: Good job
I suppose the good news here is that information- and intelligence-sharing is becoming all the rage today, at least in theory if not in practice. Lots of new ISACs showing up. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:21:25 PM
Re: Good job
As Kelly I agree, the fight against cybercrime need a joint international collaboration between governments, law enforcement agencies and private companies ... information sharing its another key element.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:04:43 PM
Re: Good job
It always helps when law enforcement located in the nation that houses the criminals cooperates. There are still a few nations who just won't do this, which obviously is why cybercrime is so rampant in their countries.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.