Attacks/Breaches
7/8/2014
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Facebook Helps Cripple Greek Botnet

Arrests made in Lecpetex malware campaign that was spreading via Facebook, emails.

Facebook today revealed details of how it helped derail a little-known botnet operation out of Greece that was used to steal and mine digital currency and spread via Facebook and Lightcoin mining -- infecting some 250,000 machines worldwide.

Two of the alleged masterminds behind the botnet were arrested in Greece last week for their role in the so-called Lecpetex botnet. The attackers included malware in messages they sent to social network users -- including Facebook users -- which then spread the malware to the infected user's contacts as well.  Aside from mining digital currency via the bots, the attackers also stole email and bank account passwords, including the email address of Greece's Ministry of Mercantile Marine, according to a Greek press report.

Botnet takedowns and disruptions to date have mostly been Microsoft's territory, and many of these cyber criminal infrastructures are traced to Eastern Europe. But Facebook appears to have taken the lead on this one, which hails from Greece, working with Greece's Cyber Crime Division.

Disrupting a botnet's infrastructure is typically a temporary victory, security experts say, as determined cyber criminals will just set up shop elsewhere for their operations.

Facebook's Threat Infrastructure Team said in a detailed post today on the social media site:

Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name "Lecpetex" by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak.

Lecpetex launched more than 20 different spam runs between December 2013 and June 2014 and relied mainly on luring potential victims via social engineering ploys to run Java applications and scripts that were rigged with malware and infected their machines. Facebook said it contacted the Cybercrime Subdivision of the Greek police on April 30 of this year, which discovered that the alleged Lecpetex authors were setting up a Bitcoin service to launder stolen digital currency at the time of their arrest.

Most of the infected machines were in Greece, but Poland, Norway, India, Portugal, and the US also were big targets of the botnet.

Facebook researchers say the spam messages typically had simple lures like "lol" and a zipped attachment, which, when opened, executed the Java malware. That file then downloaded Lecpetex's main malware file that would allow the infected machine to receive commands to mine Litecoins, download and run the Facebook malicious spam, and download and run other malware -- including DarkComet RAT.

Source: Facebook
Source: Facebook

The Facebook team said:

Once we realized that traditional protections such as anti-virus products would not altogether remediate this threat, we began employing a range of efforts including working with other infrastructure providers and engaging law enforcement. Our team coordinated efforts and used automated tools to extract critical information from the botnet. Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation. All of these played an equally important role in our efforts.

The Lecpetex botnet didn't give up without a fight. In May, they began brazenly leaving notes to the Facebook team in their command and control servers: "Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."

Facebook, along with other partners it would not name publicly, in April began to take down Lecpetex's command and control servers and its distribution, testing, and monetization accounts. The social media firm in May launched other targeted disruptions of the botnet, and the botnet operators in June responded with a mass email campaign to infect machines after Facebook made it harder for the malware to spread on the social network.

Lecpetex also used antivirus evasion techniques, and malware delivery via Dropbox.

There were plenty of other creative aspects to the botnet operation. Facebook said:

Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control. One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.

Users who want to check their machines for Lecpetex infections can do so by visiting this page on Facebook.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 12:54:24 PM
Re: :)
@EffyE925 and @Kelly Jackson Higgins, I love how our comments field is driving new information about a breaking story. Great job both of you!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:36:29 PM
Re: :)
sent :D
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:24:22 PM
Re: :)
Thanks--would you mind emailing me? higgins@darkreading.com. Thanks!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:21:49 PM
Re: :)
Since they are already famous in Greece, if you'd like I can give you their lawyer's number for an interview or more information
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:20:00 PM
Re: :)
Yep they were released and charges were dropped since they stole nothing, euros or bitcoins. All they did was BTC mining. Here's is a translated version of a Greek website 

http://translate.google.com/translate?depth=1&hl=en&ie=UTF8&rurl=translate.google.com&sandbox=0&sl=auto&tl=en&u=http://www.secnews.gr/archives/80902
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:05:05 PM
Re: :)
@EffyE925 Are you saying the suspects were released? Are they still being charged? Can you please point me to information on this? Thanks!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:38:22 PM
Re: Good job
You are right ... Threat intelligence is becoming a crucial discipline to share data on incidents and cyber threats, allowing early detection and adoption of proper countermeasures.

Regards

PL
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:23:44 PM
Re: Good job
I suppose the good news here is that information- and intelligence-sharing is becoming all the rage today, at least in theory if not in practice. Lots of new ISACs showing up. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:21:25 PM
Re: Good job
As Kelly I agree, the fight against cybercrime need a joint international collaboration between governments, law enforcement agencies and private companies ... information sharing its another key element.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:04:43 PM
Re: Good job
It always helps when law enforcement located in the nation that houses the criminals cooperates. There are still a few nations who just won't do this, which obviously is why cybercrime is so rampant in their countries.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.