Facebook has moved slowly and deliberately into the realm of botnet takedowns by disrupting a relatively small operation in Greece that was using the social platform to spread spam and malware.
Two arrests were made in connection with the Lecpetex botnet in Greece on July 3. The alleged botmasters infected a quarter-million computers with malware that was used to steal Facebook and other credentials from victimized machines as well as drop Litecoin mining software, Facebook and Greek authorities said.
The scope of the Lecpetex takedown pales in comparison to recent takedowns spearheaded by Microsoft and international authorities, but does illustrate a continuing interest by large technology companies in moving cybercrime operations off their respective platforms.
“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” Facebook said in a statement that also acknowledged the cooperation of the Cybercrime Subdivision of the Greek Police. “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”
At its peak Facebook said, Lecpetex had 50,000 accounts under its control and the attackers were bent on keeping the botnet up and running. They ran out 20 different spam campaigns in a seven-month stretch ending in June, and constantly tinkered with the malware in order to evade antivirus and other security detection capabilities.
“Over the last seven months we saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB),” Facebook said in its statement. “The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection.”
Most of the victims were in Greece, with pockets of others in Poland, Portugal, Norway, India and the United States. The attackers used social engineering to trick users into opening an infected .zip attachment in a spam message. When opened, the attachment executes a Java archive, or JAR file, which then downloads the main Lecpetex module from a file-sharing service; that module is then injected into Windows Explorer, Facebook said. That module reaches out to a number of command and control IP addresses for updates as well as the spamming module, Litecoin mining malware and a version of the DarkComet remote access Trojan.
Facebook said the spam module hijacks the user’s Facebook account, stealing browser cookies in order to access the account and its friend list to send private messages containing the same malicious .zip attachment.
“Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems,” Facebook said. “We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”
Facebook said it detected spikes in spam moving on its platform starting in December. This started a chain of events that led to the takedown of a number of command and control servers, distribution, test and monetization accounts. By then, Greek law enforcement was cooperating; the attackers responded by moving command and control to disposable email and Pastebin, Facebook said. They also left vulgar messages for authorities on the command and control sites and in the malware.
Facebook said that the attackers had begun moving off Facebook and had added mass email techniques, but it was for naught as arrests were made on July 3.
The men were identified only as “students of informatics” and a Greek news report said they had not only hijacked Facebook accounts and credentials, but also online banking and PayPal passwords and the email password belonging to the country’s Ministry of Mercantile Marine.