Facebook has reported the arrest of spammers responsible for a malicious botnet called Lecpetex, which was used to hack computers and mine the Litecoin crypto currency. Sources say that the Greek botnet that has been taken down had compromised 50,000 Facebook accounts and infected 250,000 computers worldwide to mine the said virtual currencies. They also stole people’s email and bank details and spread out spam.
Menlo Park security said the 27 and 31 year-old botnet authors had initiated 20 distinct spam campaigns between December 2013 and June 2014 before they were arrested last week. They managed to affect Facebook and other online services, with some of the victims having received private messages containing a ‘zip’ attachment with a Visual Basic script or Java JAR file.
If executed, these files would then retrieve other malware modules kept on particular remote sites. These elements were either DarkComet which is a widely used remote access tool for harvesting login credentials, or variations of apps that mine the Litecoin crypto currency.
Lecpetex was able to circumvent Facebook’s filters designed to stop such kind of malware from being spread by frequently refreshing and altering the malicious attachments. The malware also had another tactic that ensured their survival- automatically updating itself to evade various antivirus products.
According to Facebook, the authors put in significant effort for evading the company’s attachment scanning programs by creating many variations of the malformed zip files. These would then open properly in Windows while causing various scanning techniques to fail. Facebook consequently reached out to other law enforcement agencies and infrastructure providers after realizing security software alone was not going to thwart Lecpetex.
The social media company admits that neutralizing a threat like Lecpetex requires joint effort of technical analysis capabilities, agility in deploying new countermeasures, industry collaboration and law enforcement cooperation.
The security apparatus say they escalated the Lecpetex case on April 30 this year to the Cybercrime Subdivision of the Greek Police, and the agency immediately showed strong willingness to cooperate with Facebook.
Greek Police stated that the authors were in the process of establishing a Bitcoin ‘mixing’ service that would help them launder stolen Bitcoins by the time they were arrested.
Lecpetex botnet is reported to have spread malware including the DarkComet remote access Trojan. The spammers did this by using social engineering techniques that included adept avoidance of anti-viruses and detection by white hat researchers.
A blog on Tuesday from Facebook’s Threat Infrastructure team identified areas affected being Greece, Norway, Poland, India, Portugal and the United States.
Facebook representatives gave a description of the difficulties experienced in shutting down the botnet, adding how the creators taunted them through messages left on servers that were part of its network.
According to Facebook, the creators of Lecpetex botnet eventually started feeling the company’s efforts when in May 2014, they started leaving notes on command-and-control servers that were subjected to Facebook’s investigation jokingly denying any involvement in fraud.
A local Greek reporter terms this as the ‘most important’ case the Greek Cyber Crime Unit has handled, as the malware was said to have affected an email password connected to the Greek Ministry of Mercantile Marine.