Luis Corrons spent much of the last year helping Spanish police with an investigation that led to the arrest of three local men suspected of operating and renting access to a massive and global network of hacked computers. Then, roughly 60 days after their arrest, something strange happened:  Two of them unexpectedly turned up at Corrons’ office and asked to be hired as security researchers.

Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames “Netkairo” and “Ostiator,” were arrested in February by Spanish police for their alleged role in running the “Mariposa” botnet, a malware distribution platform that spread malicious software  to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for “butterfly”).

Now, here the two Mariposa curators were at Panda’s headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.

“At first, I couldn’t believe it, and I thought someone in the office was playing a practical joke on me,” Corrons said. “But these guys were the real guys, and they were serious.

“Ostiator told me, ‘The thing is, with everything that’s been happening, we’re not earning any money at the moment,” Corrons recalled. “He said, ‘We thought we could look for some kind of agreement in which both sides would benefit. We think we have knowledge [that] could be useful to Panda and thought we could have some kind of agreement with Panda.’”

Spanish police do not typically release the names of individuals who have been arrested, and Netkairo and Ostiator haven’t yet been charged with any crime. But Corrons recognized that the names and addresses on the resumes matched those that police had identified as residences belonging to Netkairo and Ostiator.

Corrons said Panda’s lawyers were unwilling to release the full names of the two men that visited Panda Labs, but said Ostiator’s first name is Juan Jose, and that he is a 25-year-old male from Santiago de Compostela. Corrons said Netkairo is a 31-year-old from Balmaseda named Florencio.

Shortly after the arrests were announced, local Spanish media said the third individual arrested by Spanish authorities in connection with Mariposa — a 30-year-old identified by his initials “JPR” — used the hacker nickname “Johny Loleante” and lived in Molina de Segura, Murcia.

On Mar. 3, I had the opportunity to interview Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. Lorenzana told Krebsonsecurity.com that Netkairo and his associate were earning about 3,000 Euros each month renting out the Mariposa botnet to other hackers.

Interviewing the same hackers less than three weeks later, Corrons asked them how they got started creating Mariposa.

“Basically, they said they started it as kind of a hobby, and that they weren’t working at the time,” Corrons said. “Suddenly, they started to earn money, a few hundred Euros a week to start, and then discovered they couldn’t stop. And the whole time, their network kept growing.”

Corrons said he told the pair there was really no way his company could hire them, but that he’d ask his boss all the same.

“I told them, ‘I’m not sure what you were thinking, but using Mariposa as your business card is not really a great help, quite the opposite in fact,’” Corrons said. “I said, ‘Well, I can’t promise anything [and] the fact you were behind Mariposa won’t work in your favor, although in any event, I don’t have the last word. I’ll speak about this with the management at Panda.’”

Corrons said the meeting ended shortly after that, and later that evening he noticed he had two new followers on Twitter. One of the new followers, a user named “FLOXTER_SEC,” a few days later sent him a message saying “please dont [sic] forget us, everyone deserves a second chance.” The name attached to that Twitter profile is one “Florencio Carro” (Spanish authorities said Netkairo’s real initials were FCR).

THE SECOND MEETING

Corrons said he had no direct contact with the two hackers again until Apr. 12, when someone calling himself Netkairo called him at work.

“He told me, ‘Listen, I’m calling because Juanjo [Ostiator] is insisting that I come and see you,” Corrons said. “He was asking about working for us again, and said, ‘We just want to know — as you haven’t answered — whether you’re thinking of hiring us or not?’”

Corrons said he met with with Netkairo again at Panda’s offices, but said he repeated his previous statement that the company could not hire someone who had been accused of running a botnet.

“So he says to me, ‘But we still haven’t been charged,’ Corrons recalled. “I told him, ‘It doesn’t matter…just the fact that you are involved is a problem when it comes to working for any serious security company.’ And what he then came out with says a lot about him. He said, “Yeah, but nobody else knows that.”

When it became clear that Panda wasn’t interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company’s cloud anti-virus software and hinting that he planned to publish the information. Later that week, someone opened a blog at Google Blogspot using the account name “NeTK,” and posted a video labeled Panda Cloud Antivirus Detection Bypass POC.

For his part, Corrons dismisses the video, saying it merely shows the obvious result of disconnecting an anti-virus solution from the Internet.

NETKAIRO RESPONDS

Reached via e-mail and instant message, Netkairo said he was limited in what he could discuss about his case at the moment. He acknowledged visiting Panda and asking for a job there, saying he was flat broke now that their Mariposa money-making machine was gone.

But he said Panda’s estimate of 12 million PCs infected by the Mariposa botnet was hugely inflated.

“I can say that they [have] 100x the real numbers just to do nice marketing,” Netkairo wrote in an e-mail. “The real size of mariposa was like 100,000, [and] peak about 500,000 to 900,000 total machines.”

Netkairo said Panda failed to take into account the prevalence of so-called “dynamic” Internet addresses, where the same computer is assigned multiple Internet addresses over a period of time.

Corrons said the 12 million estimate was never meant to mean distinct, individual PCs, and that the company was careful to note that it was only talking about the number of unique Internet addresses that it saw associated with Mariposa.

A LITTLE KNOWLEDGE IS A DANGEROUS THING

Whether the true number of PCs infected by Mariposa was one million or 12 million, the botnet culled massive amounts of personal data from infected systems. Spanish police said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries.

The botnet was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites.

Mariposa illustrates just how much damage malicious hackers can wreak these days with just a modicum of know-how. Corrons said both Netkairo and Ostiator told him that while they did indeed maintain the Mariposa botnet, they did not develop the botnet code and had relatively few technical skills. One hacker in the criminal underground who is familiar with Netkairo’s activities said the botnet owners generated many of the installations for their bot by seeding poisoned copies of pirated software on peer-to-peer file-sharing networks.

Spanish police say the break in the case came when one of the members of the Mariposa gang made an amateur mistake: Accessing the botnet’s control networks directly from his home Internet address instead of anonymizing his connection by relaying it through  a mesh of third-party systems.

Perhaps Netkairo is being so bold because he doesn’t believe he will see the inside of a prison cell for his crimes. Indeed, Spanish authorities concede it may be extremely challenging to put the men in jail, even if they are convicted at trial.

“In Spain, it is not a crime to own and operate a botnet or distribute malware,” Capt. Lorenzana told Krebsonsecurity in March. “So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Security experts at Symantec have discovered a software application made for a USB-based battery charger sold by Energizer actually included a hidden backdoor that allowed unauthorized remote access to the user’s system. The backdoor Trojan is easily removed, but Symantec believes the tainted software may have been in circulation since May 2007.

The product is the Energizer Duo USB battery charger, a device that charges batteries by drawing power from a USB port. The downloadable software that goes with the product — designed to monitor the charger’s performance and status — was available for both Mac and Windows, but according to the U.S. Computer Emergency Response Team (US-CERT) only the Windows version was affected.

Symantec said it found the backdoor after analyzing a component of the USB charger software sent to it by US-CERT. The backdoor is designed to run every time the computer starts, and then listen for commands from anyone who connects. Among the actions an attacker can take after connecting include downloading a file; running a file; sending a list of files on the system; and offloading the files to the remote attacker.

U.S. CERT has published an advisory that explains in greater detail how to remove this backdoor, should you have been unlucky enough to have installed the software. But the incident is the latest reminder that USB-based devices should always be considered hostile. At the very least, users should disable the autorun capability in Windows (which many malware families use to piggyback on removable media), and thoroughly scan any removable media for malicious files.

In another incident of malware hitchhiking on USB devices, Panda Security published a blog post Monday saying it had found a brand new Vodaphone HTC Magic mobile with Google’s Android operating system that came factory-packed with malicious software. According to Panda, the malware, which took advantage of the autorun functionality in Windows, was set up to enslave the host computer in the Mariposa botnet.

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites (pictured above is a screen shot of the Web site the men created where would-be Mariposa customers could visit for information on purchasing access to the botnet and other criminal services.)

Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries. Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.

“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. “In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Spain is one of nearly three dozen countries that is a signatory to the Council of Europe’s cybercrime treaty, but  Spanish legislators have not yet ratified the treaty by passing anti-cybercrime laws that would bring its judicial system in line with the treaty’s goals.

The Mariposa botnet takedown was orchestrated by a working group comprising Panda, the Georgia Tech Information Security Center, and Canadian security firm Defence Intelligence, which first detailed the workings of the botnet in a white paper released in May 2009.

On Dec. 23, 2009, the working group was able to “sinkhole’ the botnet by hijacking the command and control networks that were being used to orchestrate the botnet’s activities. But according to Defence Intelligence CEO Christopher Davis, a few days later, the alleged ringleader of the Mariposa botnet gang who goes by the hacker alias “Netkairo,” bribed an employee at a Spanish domain name registrar that the gang had been using to register Web site names that helped them control the botnet. Armed with those domains, Netkairo was able to rebuild the botnet, as the individual PCs previously enslaved by the Mariposa botnet were still programmed to regularly connect to those sites and download new marching orders.

Davis said that on Jan. 22, the hacker launched a distributed denial of service attack against Defense Intelligence’s Web site, using more than a million PCs the gang had managed to corral back into the Mariposa botnet. That assault, which forced the infected PCs to flood the company’s site with junk Web traffic, not only knocked Defence Intelligence offline, but took out networks of several other organizations that were using the same Internet service provider, including a local university and a few government agencies in Ottawa.

Lorenzana said the three men haven’t been named publicly because they haven’t yet been charged with a crime. Until that happens, which will probably be in a couple of weeks, the men are all free on their own recognizance. In the meantime, they are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot.

“The main problem is that even though the botnet itself has been taken down, these bots are all still infected, and these guys who operated the botnet can still go and download all the details of the data they have stolen,” Lorenzana said.

Juan Santana, CEO of Panda Security, said he hopes this case will spur Spanish lawmakers to amend the penal code to more specifically punish cyber crime activities.

“I don’t think these guys will go to jail, especially if it is the first time they have committed a crime,” Santana said. “The government needs to pass laws that are enforceable and enforced afterward. In the vast majority of countries, malicious hackers do not fear that if they do get caught that they will go to jail, because the benefit for them is far higher than the risk right now.”