Inside the Takedown of the M00p Malware Crew

BARCELONA–As online crime continues to grow in volume and expand in scope, encompassing a massive number of scams and operations around the world, security researchers, lawmakers and others are pushing for better cooperation among law enforcement agencies and the security community in taking down the attackers behind these schemes. There are precious few examples of successful operations that have succeeded in recent years, but one that can be considered a model of how things can work is the investigation into the m00p malware-writing crew that began more than seven years ago.

M00pBARCELONA–As online crime continues to grow in volume and expand in scope, encompassing a massive number of scams and operations around the world, security researchers, lawmakers and others are pushing for better cooperation among law enforcement agencies and the security community in taking down the attackers behind these schemes. There are precious few examples of successful operations that have succeeded in recent years, but one that can be considered a model of how things can work is the investigation into the m00p malware-writing crew that began more than seven years ago.

The m00p crew was neither the most sophisticated nor the most successful group of its kind at the time it was dismantled, but some of its tactics would go on to become blueprints for other crews that have risen in their wake in the last few years. And, more importantly, the cooperative effort among law enforcement agencies in the U.K. and Finland and security researchers in various countries also has served as a model of how these investigations can work.

“It was a groundbreaking case in the U.K.,” Bob Burls, of the U.K. Police Central eCrime Unit, who was the lead investigator on the m00p case, said in a keynote talk at the Virus Bulletin conference here Wednesday.

The crew first came to the attention of the security community in 2004. At the time, the group was sending out malware-infected spam messages, some of which contained ZIP files purporting to contain a purchase agreement for a new iPod. The National Bureau of Investigation in Finland began looking into the group’s activities and quickly began assembling data on its members, including one man who used the handle Okasvi. They found a version of the SDbot malware that the man had posted on a public site.

A few months later, the m00p members began a new malware campaign that included a variant that exploited the MS05-039 vulnerability, which later would be made famous by the Zotob worm. Around the same time, F-Secure received an email from a m00p member and began looking into the group, as well. Researchers identified another member and found his real name on a site frequented by Nintendo enthusiasts. That dicsovery was quickly followed by a DDoS attack on the company’s main Web site, which crippled it for several hours.

By the end of 2005, Burls had gotten involved in the investigation, after receiving a sample of a new piece of malware from a contact in the U.K. security industry. The malware turned out to be a new IRC bot, and just a month later, a newer version of the malware sent out by the m00p crew began exploiting the Windows WMF vulnerability to compromise PCs. It had become obvious by then that the group had some skilled members who were employing a wide variety of tactics to ensure their success.

M00p was using a data center in the U.K., along with a local ISP, as a front for its operation, and Burls saw that as an opportunity. He was able to gain approval from the ISP to install software on the crew’s server that logged all of the outbound and inbound traffic, and quickly began gathering the evidence needed to build a case against Okasvi and another man, whom they later identified as Matthew Anderson.

Mikko Hypponen, chief research officer at F-Secure, who presented with Burls at the conference, said that when m00p began sending out malware-infected emails that appeared to come from the F-Secure domain, the company began looking into the group and its activities and ended up identifying Okasvi as a man named Artturi Alm, who was living in western Finland.

F-Secure worked with police in the local area, and in June 2006 authorities in the U.K. and Finland executed arrests of several suspects at the same time and seized a number of computers. Alm initially denied any involvement with m00p, but that denial didn’t hold up long.

“It turned out that he had an open chat session to the m00p IRC server on his PC when he was arrested,” Hypponen said. Alm also had the name Okasvi tattooed on his arm. Unsubtle.

He eventually confessed to writing most of the group’s malware and claimed that the m00p crew was doing for-hire targeted attacks against various unnamed high-profile companies and stealing customer information from databases, as well as participating in lower-level affiliate spam schemes. Despite the evidence and the confession, Alm only received a sentence of community service. Anderson ended up with a nine-month jail sentence.

The kind of cooperation between various national police agencies and security researchers that helped bring down the m00p crew should be the rule rather than the exception, Hypponen said.

“We as an industry should be doing much better,” he said. “The only way to do that is to find the people and investigate cases and get people behind bars. That’s the one thing we aren’t doing nearly enough.”

Suggested articles