VANCOUVER–The take down of the Mariposa botnet is a cyber law enforcement success story – but gaps in international cyber law could make it difficult to prosecute those behind the botnet.
A researcher involved in the analysis and dismantling of the Mariposa botnet said that gaps in cyber crime laws in the countries from which the botnet was operated may make it difficult to prosecute those accused of operating the scheme.
Pedro Bustamante, a senior researcher at Panda Security in Spain said that those alleged to be behind the Mariposa botnet, which netted more than €20,000 a month at its height, may never see jail time because of lax cyber crime laws in Spain that, among other things, don’t consider it a crime to operate a botnet.
In a presentation at the Virus Bulletin Conference in Vancouver, British Columbia, Bustamante said the take down of the Mariposa botnet, which controlled close to 13 million computers at one point, was an example of the benefits of close cooperation between IT security and anti malware firms and law enforcement.
Panda was a member of the Mariposa Working Group – a law enforcement industry partnership that also included the US FBI, Spain’s Guardia Civil (GC), as well as researchers at Georgia Tech, Intel and Neustar. Bustamante said that the botnet, one of the largest ever detected, was particularly effective at leveraging MSN instant messaging accounts to spread from computer to computer – monitoring active chat threads, then inserting messages with links to a malicious drive by download Web site into those active conversations.
The Working Group, set up shortly after the botnet was identified in May, 2009, proved instrumental in shutting down the command and control infrastructure that Mariposa used in December, 2009. Law enforcement officials in Spain arrested three Spanish citizens accused of being part of the DDR crew, which leased and operated Mariposa from its Slovenian creators. They also seized systems used by the crew to operate the botnet, recovering data on millions and millions of stolen account credentials, Bustamante said.
However, Spanish laws may make it difficult to hold the botnet operators and could make prosecution of them difficult, Bustamante said. Despite evidence gathered by law enforcement that the group stole “millions and millions” of credentials from Mariposa-infected systems, it isn’t clear whether that evidence will be admissable in the case, nor whether operating a botnet explicitly counts as a crime in Spain, Bustmanate said.
Similar challenges may face prosecutors in Solvenia in their attempts to win jail time for Matjaz Skorjanc, a.k.a Iserdo and Nusa Coh,the 20 somethings alleged to have created and sold the Mariposa botnet client and command and control technology.
Data seized in the Mariposa case could be used to identify the entire botnet supply chain, including affiliated criminal groups renting botnets and distributing Trojan horse programs, third parties selling hacking tools like crypters and packers, and money mules who are cashing out illicit proceeds. However, Bustamante said its unclear how far law enforcement will go in chasing down the many leads that the Mariposa case generated.
“The communication with law enforcement is one way and difficult,” he said.
While clearly proof of the benefit to be had from cooperation between law enforcement and private sector companies, Mariposa may also be an example of the limits of such cooperation in the absence of universal adoption of the Convention on Cyber Crime, which harmonizes national laws on computer crime. To date, forty three nations have signed that treaty, including the United States. However, many European nations, including Spain, have not ratified the treaty.
