Attacks/Breaches
7/8/2014
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Facebook Helps Cripple Greek Botnet

Arrests made in Lecpetex malware campaign that was spreading via Facebook, emails.

Facebook today revealed details of how it helped derail a little-known botnet operation out of Greece that was used to steal and mine digital currency and spread via Facebook and Lightcoin mining -- infecting some 250,000 machines worldwide.

Two of the alleged masterminds behind the botnet were arrested in Greece last week for their role in the so-called Lecpetex botnet. The attackers included malware in messages they sent to social network users -- including Facebook users -- which then spread the malware to the infected user's contacts as well.  Aside from mining digital currency via the bots, the attackers also stole email and bank account passwords, including the email address of Greece's Ministry of Mercantile Marine, according to a Greek press report.

Botnet takedowns and disruptions to date have mostly been Microsoft's territory, and many of these cyber criminal infrastructures are traced to Eastern Europe. But Facebook appears to have taken the lead on this one, which hails from Greece, working with Greece's Cyber Crime Division.

Disrupting a botnet's infrastructure is typically a temporary victory, security experts say, as determined cyber criminals will just set up shop elsewhere for their operations.

Facebook's Threat Infrastructure Team said in a detailed post today on the social media site:

Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name "Lecpetex" by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak.

Lecpetex launched more than 20 different spam runs between December 2013 and June 2014 and relied mainly on luring potential victims via social engineering ploys to run Java applications and scripts that were rigged with malware and infected their machines. Facebook said it contacted the Cybercrime Subdivision of the Greek police on April 30 of this year, which discovered that the alleged Lecpetex authors were setting up a Bitcoin service to launder stolen digital currency at the time of their arrest.

Most of the infected machines were in Greece, but Poland, Norway, India, Portugal, and the US also were big targets of the botnet.

Facebook researchers say the spam messages typically had simple lures like "lol" and a zipped attachment, which, when opened, executed the Java malware. That file then downloaded Lecpetex's main malware file that would allow the infected machine to receive commands to mine Litecoins, download and run the Facebook malicious spam, and download and run other malware -- including DarkComet RAT.

Source: Facebook
Source: Facebook

The Facebook team said:

Once we realized that traditional protections such as anti-virus products would not altogether remediate this threat, we began employing a range of efforts including working with other infrastructure providers and engaging law enforcement. Our team coordinated efforts and used automated tools to extract critical information from the botnet. Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation. All of these played an equally important role in our efforts.

The Lecpetex botnet didn't give up without a fight. In May, they began brazenly leaving notes to the Facebook team in their command and control servers: "Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."

Facebook, along with other partners it would not name publicly, in April began to take down Lecpetex's command and control servers and its distribution, testing, and monetization accounts. The social media firm in May launched other targeted disruptions of the botnet, and the botnet operators in June responded with a mass email campaign to infect machines after Facebook made it harder for the malware to spread on the social network.

Lecpetex also used antivirus evasion techniques, and malware delivery via Dropbox.

There were plenty of other creative aspects to the botnet operation. Facebook said:

Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control. One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.

Users who want to check their machines for Lecpetex infections can do so by visiting this page on Facebook.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 12:54:24 PM
Re: :)
@EffyE925 and @Kelly Jackson Higgins, I love how our comments field is driving new information about a breaking story. Great job both of you!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:36:29 PM
Re: :)
sent :D
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:24:22 PM
Re: :)
Thanks--would you mind emailing me? higgins@darkreading.com. Thanks!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:21:49 PM
Re: :)
Since they are already famous in Greece, if you'd like I can give you their lawyer's number for an interview or more information
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:20:00 PM
Re: :)
Yep they were released and charges were dropped since they stole nothing, euros or bitcoins. All they did was BTC mining. Here's is a translated version of a Greek website 

http://translate.google.com/translate?depth=1&hl=en&ie=UTF8&rurl=translate.google.com&sandbox=0&sl=auto&tl=en&u=http://www.secnews.gr/archives/80902
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:05:05 PM
Re: :)
@EffyE925 Are you saying the suspects were released? Are they still being charged? Can you please point me to information on this? Thanks!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:38:22 PM
Re: Good job
You are right ... Threat intelligence is becoming a crucial discipline to share data on incidents and cyber threats, allowing early detection and adoption of proper countermeasures.

Regards

PL
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:23:44 PM
Re: Good job
I suppose the good news here is that information- and intelligence-sharing is becoming all the rage today, at least in theory if not in practice. Lots of new ISACs showing up. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:21:25 PM
Re: Good job
As Kelly I agree, the fight against cybercrime need a joint international collaboration between governments, law enforcement agencies and private companies ... information sharing its another key element.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:04:43 PM
Re: Good job
It always helps when law enforcement located in the nation that houses the criminals cooperates. There are still a few nations who just won't do this, which obviously is why cybercrime is so rampant in their countries.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.