Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.
According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites (pictured above is a screen shot of the Web site the men created where would-be Mariposa customers could visit for information on purchasing access to the botnet and other criminal services.)
Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries. Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.
“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. “In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”
Spain is one of nearly three dozen countries that is a signatory to the Council of Europe’s cybercrime treaty, but Spanish legislators have not yet ratified the treaty by passing anti-cybercrime laws that would bring its judicial system in line with the treaty’s goals.
The Mariposa botnet takedown was orchestrated by a working group comprising Panda, the Georgia Tech Information Security Center, and Canadian security firm Defence Intelligence, which first detailed the workings of the botnet in a white paper released in May 2009.
On Dec. 23, 2009, the working group was able to “sinkhole’ the botnet by hijacking the command and control networks that were being used to orchestrate the botnet’s activities. But according to Defence Intelligence CEO Christopher Davis, a few days later, the alleged ringleader of the Mariposa botnet gang who goes by the hacker alias “Netkairo,” bribed an employee at a Spanish domain name registrar that the gang had been using to register Web site names that helped them control the botnet. Armed with those domains, Netkairo was able to rebuild the botnet, as the individual PCs previously enslaved by the Mariposa botnet were still programmed to regularly connect to those sites and download new marching orders.
Davis said that on Jan. 22, the hacker launched a distributed denial of service attack against Defense Intelligence’s Web site, using more than a million PCs the gang had managed to corral back into the Mariposa botnet. That assault, which forced the infected PCs to flood the company’s site with junk Web traffic, not only knocked Defence Intelligence offline, but took out networks of several other organizations that were using the same Internet service provider, including a local university and a few government agencies in Ottawa.
Lorenzana said the three men haven’t been named publicly because they haven’t yet been charged with a crime. Until that happens, which will probably be in a couple of weeks, the men are all free on their own recognizance. In the meantime, they are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot.
“The main problem is that even though the botnet itself has been taken down, these bots are all still infected, and these guys who operated the botnet can still go and download all the details of the data they have stolen,” Lorenzana said.
Juan Santana, CEO of Panda Security, said he hopes this case will spur Spanish lawmakers to amend the penal code to more specifically punish cyber crime activities.
“I don’t think these guys will go to jail, especially if it is the first time they have committed a crime,” Santana said. “The government needs to pass laws that are enforceable and enforced afterward. In the vast majority of countries, malicious hackers do not fear that if they do get caught that they will go to jail, because the benefit for them is far higher than the risk right now.”