Facebook today revealed details of how it helped derail a little-known botnet operation out of Greece that was used to steal and mine digital currency and spread via Facebook and Lightcoin mining -- infecting some 250,000 machines worldwide.
Two of the alleged masterminds behind the botnet were arrested in Greece last week for their role in the so-called Lecpetex botnet. The attackers included malware in messages they sent to social network users -- including Facebook users -- which then spread the malware to the infected user's contacts as well. Aside from mining digital currency via the bots, the attackers also stole email and bank account passwords, including the email address of Greece's Ministry of Mercantile Marine, according to a Greek press report.
Botnet takedowns and disruptions to date have mostly been Microsoft's territory, and many of these cyber criminal infrastructures are traced to Eastern Europe. But Facebook appears to have taken the lead on this one, which hails from Greece, working with Greece's Cyber Crime Division.
Disrupting a botnet's infrastructure is typically a temporary victory, security experts say, as determined cyber criminals will just set up shop elsewhere for their operations.
Facebook's Threat Infrastructure Team said in a detailed post today on the social media site:
Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name "Lecpetex" by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak.
Lecpetex launched more than 20 different spam runs between December 2013 and June 2014 and relied mainly on luring potential victims via social engineering ploys to run Java applications and scripts that were rigged with malware and infected their machines. Facebook said it contacted the Cybercrime Subdivision of the Greek police on April 30 of this year, which discovered that the alleged Lecpetex authors were setting up a Bitcoin service to launder stolen digital currency at the time of their arrest.
Most of the infected machines were in Greece, but Poland, Norway, India, Portugal, and the US also were big targets of the botnet.
Facebook researchers say the spam messages typically had simple lures like "lol" and a zipped attachment, which, when opened, executed the Java malware. That file then downloaded Lecpetex's main malware file that would allow the infected machine to receive commands to mine Litecoins, download and run the Facebook malicious spam, and download and run other malware -- including DarkComet RAT.
The Facebook team said:
Once we realized that traditional protections such as anti-virus products would not altogether remediate this threat, we began employing a range of efforts including working with other infrastructure providers and engaging law enforcement. Our team coordinated efforts and used automated tools to extract critical information from the botnet. Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation. All of these played an equally important role in our efforts.
The Lecpetex botnet didn't give up without a fight. In May, they began brazenly leaving notes to the Facebook team in their command and control servers: "Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."
Facebook, along with other partners it would not name publicly, in April began to take down Lecpetex's command and control servers and its distribution, testing, and monetization accounts. The social media firm in May launched other targeted disruptions of the botnet, and the botnet operators in June responded with a mass email campaign to infect machines after Facebook made it harder for the malware to spread on the social network.
Lecpetex also used antivirus evasion techniques, and malware delivery via Dropbox.
There were plenty of other creative aspects to the botnet operation. Facebook said:
Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control. One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.
Users who want to check their machines for Lecpetex infections can do so by visiting this page on Facebook.