Police in Slovenia have arrested a 23-year-old man in Maribor believed to be responsible for creating the Mariposa botnet, a collection of hacked PCs that spanned an estimated 12 million computers across the globe, according to reports.

The Associated Press cites FBI officials in Washington, D.C. stating that authorities had arrested “Iserdo,” the nickname used by the hacker alleged to have created Mariposa, a botnet that first surfaced in December 2008 and grew to infect more than half of the Fortune 1,000 companies, as well as at least 40 major banks.

Earlier this year, police in Spain arrested three of Iserdo’s associates, who allegedly used the Mariposa botnet to steal credit card accounts and online banking credentials.

The AP story doesn’t identify Iserdo, saying officials declined to release his name and the exact charges filed against him, but says that the arrest took place about 10 days ago, and that the man has been released on bond.

According to information obtained by KrebsOnSecurity.com, Iserdo’s real name is Dejan Janžekovic. Local Slovenian press reports at the time of his arrest said Iserdo was a former student at the Maribor Faculty of Computer and Information Science, but that information could not be independently confirmed.

Individuals close to the case say Janžekovic charged a few hundred dollars for each copy of the bot kit, and that sales frequently were handled by a former classmate who accepted Western Union transfers on his behalf. According to two sources, one of those who helped with the transactions was a 24-year-old woman named Nuša Čoh, pictured here in her high school photo.

Neither Janžekovic nor Čoh could be immediately reached for comment.

Update, July 29, 4:45 p.m: Janzekovic appears only to have been a person of interest in this investigation, according to a law enforcement official I spoke with today. Also, I heard back from Janzekovic himself, who acknowledged having been investigated by the FBI and Slovenian police in connection with Mariposa, and taken in to the police station for questioning. But he said he is not Iserdo, and that the authorities somehow had him mixed up with someone else. From his e-mail to me:

“I am 23 years old (the picture you found is very outdated). I am single, I work as a senior systems administrator for a telco in Slovenia. Fact is that I love technology, I love life (even though the past two weeks it was hell on earth for me), but most of all – I am innocent. Yes, you read right, innocent. I am smarter than this and such things do interest me only from the technological point, as in how to protect against them.

Oh, not to forget, my net nick was and will never be Iserdo.

It is true, that I had the FBI and Slovenian police investigating me but it is also true, that I had nothing to hide. During the investigation I was very cooperative with authorities – I even gave them password for my encrypted partitions. What was the lead to me? It had to be some kind of mix-up and/or identity theft – the only person known to me in this whole story is the girl who I went to school with (as you have already found out).

Neither of authorities did explain to me how they came to conclusion that I was iserdo. I strongly believe the case was identity theft (obviously someone who knew enough about me, to know that I would easily fit in the case) and/or connection through Nusa. And believe me, it was also to my great surprise, when they woke me up at 6 a.m. to search my home on basis of me selling some ‘nasty code’.

But know this – I do not know any technical details about the botnet, program or anything about the criminal backgrounds as I have never seen it or worked with it.”

Original story:

Janžekovic and Čoh, circled, from a class photo.

Authorities in Spain and Slovenia were aided in their sleuthing by the “Mariposa Working Group,” a collection of security companies and experts that infiltrated the botnet late last year and ultimately wrested control of it away from criminals who had purchased access to the network.

Christopher Davis,  chief executive of working group member Defence Intelligence, said his team tracked just under 700 Web site domains being used to control portions of the Mariposa botnet, suggesting that Iserdo sold hundreds of copies of the bot kit, at hundreds of dollars per kit.

Davis said Iserdo’s creation used an advanced, custom-made communications protocol designed to slip in and out of firewalls unnoticed, and that communication between systems infected with the butterfly bot and its corresponding control Web site was obfuscated by using a homegrown encryption technology.

“It’s a complicated kit he built,” Davis said. “We’re pretty good at breaking crypto, and it took us at least three days to break the cryptography around this bot, when it normally takes us an hour or so.”

Davis praised the arrests, saying it was unusual because normally it is the individuals who are using and buying the bots that are apprehended, not the bot authors themselves. Still, he said, he hopes authorities can use the information to round up the various Mariposa botnet operators.

“We need to go after all of them – the people who write the code, the people who sell it, the people who distribute it, even the money mules they use to convert stolen credit cards and banking credentials into cash,” Davis said.

Luis Corrons spent much of the last year helping Spanish police with an investigation that led to the arrest of three local men suspected of operating and renting access to a massive and global network of hacked computers. Then, roughly 60 days after their arrest, something strange happened:  Two of them unexpectedly turned up at Corrons’ office and asked to be hired as security researchers.

Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames “Netkairo” and “Ostiator,” were arrested in February by Spanish police for their alleged role in running the “Mariposa” botnet, a malware distribution platform that spread malicious software  to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for “butterfly”).

Now, here the two Mariposa curators were at Panda’s headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.

“At first, I couldn’t believe it, and I thought someone in the office was playing a practical joke on me,” Corrons said. “But these guys were the real guys, and they were serious.

“Ostiator told me, ‘The thing is, with everything that’s been happening, we’re not earning any money at the moment,” Corrons recalled. “He said, ‘We thought we could look for some kind of agreement in which both sides would benefit. We think we have knowledge [that] could be useful to Panda and thought we could have some kind of agreement with Panda.’”

Spanish police do not typically release the names of individuals who have been arrested, and Netkairo and Ostiator haven’t yet been charged with any crime. But Corrons recognized that the names and addresses on the resumes matched those that police had identified as residences belonging to Netkairo and Ostiator.

Corrons said Panda’s lawyers were unwilling to release the full names of the two men that visited Panda Labs, but said Ostiator’s first name is Juan Jose, and that he is a 25-year-old male from Santiago de Compostela. Corrons said Netkairo is a 31-year-old from Balmaseda named Florencio.

Shortly after the arrests were announced, local Spanish media said the third individual arrested by Spanish authorities in connection with Mariposa — a 30-year-old identified by his initials “JPR” — used the hacker nickname “Johny Loleante” and lived in Molina de Segura, Murcia.

On Mar. 3, I had the opportunity to interview Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. Lorenzana told Krebsonsecurity.com that Netkairo and his associate were earning about 3,000 Euros each month renting out the Mariposa botnet to other hackers.

Interviewing the same hackers less than three weeks later, Corrons asked them how they got started creating Mariposa.

“Basically, they said they started it as kind of a hobby, and that they weren’t working at the time,” Corrons said. “Suddenly, they started to earn money, a few hundred Euros a week to start, and then discovered they couldn’t stop. And the whole time, their network kept growing.”

Corrons said he told the pair there was really no way his company could hire them, but that he’d ask his boss all the same.

“I told them, ‘I’m not sure what you were thinking, but using Mariposa as your business card is not really a great help, quite the opposite in fact,’” Corrons said. “I said, ‘Well, I can’t promise anything [and] the fact you were behind Mariposa won’t work in your favor, although in any event, I don’t have the last word. I’ll speak about this with the management at Panda.’”

Corrons said the meeting ended shortly after that, and later that evening he noticed he had two new followers on Twitter. One of the new followers, a user named “FLOXTER_SEC,” a few days later sent him a message saying “please dont [sic] forget us, everyone deserves a second chance.” The name attached to that Twitter profile is one “Florencio Carro” (Spanish authorities said Netkairo’s real initials were FCR).

THE SECOND MEETING

Corrons said he had no direct contact with the two hackers again until Apr. 12, when someone calling himself Netkairo called him at work.

“He told me, ‘Listen, I’m calling because Juanjo [Ostiator] is insisting that I come and see you,” Corrons said. “He was asking about working for us again, and said, ‘We just want to know — as you haven’t answered — whether you’re thinking of hiring us or not?’”

Corrons said he met with with Netkairo again at Panda’s offices, but said he repeated his previous statement that the company could not hire someone who had been accused of running a botnet.

“So he says to me, ‘But we still haven’t been charged,’ Corrons recalled. “I told him, ‘It doesn’t matter…just the fact that you are involved is a problem when it comes to working for any serious security company.’ And what he then came out with says a lot about him. He said, “Yeah, but nobody else knows that.”

When it became clear that Panda wasn’t interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company’s cloud anti-virus software and hinting that he planned to publish the information. Later that week, someone opened a blog at Google Blogspot using the account name “NeTK,” and posted a video labeled Panda Cloud Antivirus Detection Bypass POC.

For his part, Corrons dismisses the video, saying it merely shows the obvious result of disconnecting an anti-virus solution from the Internet.

NETKAIRO RESPONDS

Reached via e-mail and instant message, Netkairo said he was limited in what he could discuss about his case at the moment. He acknowledged visiting Panda and asking for a job there, saying he was flat broke now that their Mariposa money-making machine was gone.

But he said Panda’s estimate of 12 million PCs infected by the Mariposa botnet was hugely inflated.

“I can say that they [have] 100x the real numbers just to do nice marketing,” Netkairo wrote in an e-mail. “The real size of mariposa was like 100,000, [and] peak about 500,000 to 900,000 total machines.”

Netkairo said Panda failed to take into account the prevalence of so-called “dynamic” Internet addresses, where the same computer is assigned multiple Internet addresses over a period of time.

Corrons said the 12 million estimate was never meant to mean distinct, individual PCs, and that the company was careful to note that it was only talking about the number of unique Internet addresses that it saw associated with Mariposa.

A LITTLE KNOWLEDGE IS A DANGEROUS THING

Whether the true number of PCs infected by Mariposa was one million or 12 million, the botnet culled massive amounts of personal data from infected systems. Spanish police said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries.

The botnet was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites.

Mariposa illustrates just how much damage malicious hackers can wreak these days with just a modicum of know-how. Corrons said both Netkairo and Ostiator told him that while they did indeed maintain the Mariposa botnet, they did not develop the botnet code and had relatively few technical skills. One hacker in the criminal underground who is familiar with Netkairo’s activities said the botnet owners generated many of the installations for their bot by seeding poisoned copies of pirated software on peer-to-peer file-sharing networks.

Spanish police say the break in the case came when one of the members of the Mariposa gang made an amateur mistake: Accessing the botnet’s control networks directly from his home Internet address instead of anonymizing his connection by relaying it through  a mesh of third-party systems.

Perhaps Netkairo is being so bold because he doesn’t believe he will see the inside of a prison cell for his crimes. Indeed, Spanish authorities concede it may be extremely challenging to put the men in jail, even if they are convicted at trial.

“In Spain, it is not a crime to own and operate a botnet or distribute malware,” Capt. Lorenzana told Krebsonsecurity in March. “So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites (pictured above is a screen shot of the Web site the men created where would-be Mariposa customers could visit for information on purchasing access to the botnet and other criminal services.)

Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries. Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.

“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. “In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Spain is one of nearly three dozen countries that is a signatory to the Council of Europe’s cybercrime treaty, but  Spanish legislators have not yet ratified the treaty by passing anti-cybercrime laws that would bring its judicial system in line with the treaty’s goals.

The Mariposa botnet takedown was orchestrated by a working group comprising Panda, the Georgia Tech Information Security Center, and Canadian security firm Defence Intelligence, which first detailed the workings of the botnet in a white paper released in May 2009.

On Dec. 23, 2009, the working group was able to “sinkhole’ the botnet by hijacking the command and control networks that were being used to orchestrate the botnet’s activities. But according to Defence Intelligence CEO Christopher Davis, a few days later, the alleged ringleader of the Mariposa botnet gang who goes by the hacker alias “Netkairo,” bribed an employee at a Spanish domain name registrar that the gang had been using to register Web site names that helped them control the botnet. Armed with those domains, Netkairo was able to rebuild the botnet, as the individual PCs previously enslaved by the Mariposa botnet were still programmed to regularly connect to those sites and download new marching orders.

Davis said that on Jan. 22, the hacker launched a distributed denial of service attack against Defense Intelligence’s Web site, using more than a million PCs the gang had managed to corral back into the Mariposa botnet. That assault, which forced the infected PCs to flood the company’s site with junk Web traffic, not only knocked Defence Intelligence offline, but took out networks of several other organizations that were using the same Internet service provider, including a local university and a few government agencies in Ottawa.

Lorenzana said the three men haven’t been named publicly because they haven’t yet been charged with a crime. Until that happens, which will probably be in a couple of weeks, the men are all free on their own recognizance. In the meantime, they are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot.

“The main problem is that even though the botnet itself has been taken down, these bots are all still infected, and these guys who operated the botnet can still go and download all the details of the data they have stolen,” Lorenzana said.

Juan Santana, CEO of Panda Security, said he hopes this case will spur Spanish lawmakers to amend the penal code to more specifically punish cyber crime activities.

“I don’t think these guys will go to jail, especially if it is the first time they have committed a crime,” Santana said. “The government needs to pass laws that are enforceable and enforced afterward. In the vast majority of countries, malicious hackers do not fear that if they do get caught that they will go to jail, because the benefit for them is far higher than the risk right now.”