May 3, 2010

Luis Corrons spent much of the last year helping Spanish police with an investigation that led to the arrest of three local men suspected of operating and renting access to a massive and global network of hacked computers. Then, roughly 60 days after their arrest, something strange happened:  Two of them unexpectedly turned up at Corrons’ office and asked to be hired as security researchers.

Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames “Netkairo” and “Ostiator,” were arrested in February by Spanish police for their alleged role in running the “Mariposa” botnet, a malware distribution platform that spread malicious software  to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for “butterfly”).

Now, here the two Mariposa curators were at Panda’s headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.

“At first, I couldn’t believe it, and I thought someone in the office was playing a practical joke on me,” Corrons said. “But these guys were the real guys, and they were serious.

“Ostiator told me, ‘The thing is, with everything that’s been happening, we’re not earning any money at the moment,” Corrons recalled. “He said, ‘We thought we could look for some kind of agreement in which both sides would benefit. We think we have knowledge [that] could be useful to Panda and thought we could have some kind of agreement with Panda.'”

Spanish police do not typically release the names of individuals who have been arrested, and Netkairo and Ostiator haven’t yet been charged with any crime. But Corrons recognized that the names and addresses on the resumes matched those that police had identified as residences belonging to Netkairo and Ostiator.

Corrons said Panda’s lawyers were unwilling to release the full names of the two men that visited Panda Labs, but said Ostiator’s first name is Juan Jose, and that he is a 25-year-old male from Santiago de Compostela. Corrons said Netkairo is a 31-year-old from Balmaseda named Florencio.

Shortly after the arrests were announced, local Spanish media said the third individual arrested by Spanish authorities in connection with Mariposa — a 30-year-old identified by his initials “JPR” — used the hacker nickname “Johny Loleante” and lived in Molina de Segura, Murcia.

On Mar. 3, I had the opportunity to interview Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. Lorenzana told that Netkairo and his associate were earning about 3,000 Euros each month renting out the Mariposa botnet to other hackers.

Interviewing the same hackers less than three weeks later, Corrons asked them how they got started creating Mariposa.

“Basically, they said they started it as kind of a hobby, and that they weren’t working at the time,” Corrons said. “Suddenly, they started to earn money, a few hundred Euros a week to start, and then discovered they couldn’t stop. And the whole time, their network kept growing.”

Corrons said he told the pair there was really no way his company could hire them, but that he’d ask his boss all the same.

“I told them, ‘I’m not sure what you were thinking, but using Mariposa as your business card is not really a great help, quite the opposite in fact,'” Corrons said. “I said, ‘Well, I can’t promise anything [and] the fact you were behind Mariposa won’t work in your favor, although in any event, I don’t have the last word. I’ll speak about this with the management at Panda.’”

Corrons said the meeting ended shortly after that, and later that evening he noticed he had two new followers on Twitter. One of the new followers, a user named “FLOXTER_SEC,” a few days later sent him a message saying “please dont [sic] forget us, everyone deserves a second chance.” The name attached to that Twitter profile is one “Florencio Carro” (Spanish authorities said Netkairo’s real initials were FCR).


Corrons said he had no direct contact with the two hackers again until Apr. 12, when someone calling himself Netkairo called him at work.

“He told me, ‘Listen, I’m calling because Juanjo [Ostiator] is insisting that I come and see you,” Corrons said. “He was asking about working for us again, and said, ‘We just want to know — as you haven’t answered — whether you’re thinking of hiring us or not?'”

Corrons said he met with with Netkairo again at Panda’s offices, but said he repeated his previous statement that the company could not hire someone who had been accused of running a botnet.

“So he says to me, ‘But we still haven’t been charged,’ Corrons recalled. “I told him, ‘It doesn’t matter…just the fact that you are involved is a problem when it comes to working for any serious security company.’ And what he then came out with says a lot about him. He said, “Yeah, but nobody else knows that.”

When it became clear that Panda wasn’t interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company’s cloud anti-virus software and hinting that he planned to publish the information. Later that week, someone opened a blog at Google Blogspot using the account name “NeTK,” and posted a video labeled Panda Cloud Antivirus Detection Bypass POC.

For his part, Corrons dismisses the video, saying it merely shows the obvious result of disconnecting an anti-virus solution from the Internet.


Reached via e-mail and instant message, Netkairo said he was limited in what he could discuss about his case at the moment. He acknowledged visiting Panda and asking for a job there, saying he was flat broke now that their Mariposa money-making machine was gone.

But he said Panda’s estimate of 12 million PCs infected by the Mariposa botnet was hugely inflated.

“I can say that they [have] 100x the real numbers just to do nice marketing,” Netkairo wrote in an e-mail. “The real size of mariposa was like 100,000, [and] peak about 500,000 to 900,000 total machines.”

Netkairo said Panda failed to take into account the prevalence of so-called “dynamic” Internet addresses, where the same computer is assigned multiple Internet addresses over a period of time.

Corrons said the 12 million estimate was never meant to mean distinct, individual PCs, and that the company was careful to note that it was only talking about the number of unique Internet addresses that it saw associated with Mariposa.


Whether the true number of PCs infected by Mariposa was one million or 12 million, the botnet culled massive amounts of personal data from infected systems. Spanish police said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries.

The botnet was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites.

Mariposa illustrates just how much damage malicious hackers can wreak these days with just a modicum of know-how. Corrons said both Netkairo and Ostiator told him that while they did indeed maintain the Mariposa botnet, they did not develop the botnet code and had relatively few technical skills. One hacker in the criminal underground who is familiar with Netkairo’s activities said the botnet owners generated many of the installations for their bot by seeding poisoned copies of pirated software on peer-to-peer file-sharing networks.

Spanish police say the break in the case came when one of the members of the Mariposa gang made an amateur mistake: Accessing the botnet’s control networks directly from his home Internet address instead of anonymizing his connection by relaying it through  a mesh of third-party systems.

Perhaps Netkairo is being so bold because he doesn’t believe he will see the inside of a prison cell for his crimes. Indeed, Spanish authorities concede it may be extremely challenging to put the men in jail, even if they are convicted at trial.

“In Spain, it is not a crime to own and operate a botnet or distribute malware,” Capt. Lorenzana told Krebsonsecurity in March. “So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

20 thoughts on “Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm

  1. KuboIT

    Excellent, the time when the security company hired cyber-criminals in the past.

  2. PC.Tech

    ‘Bad idea to publish/link to a site of a known botmaster – there is the distinct probability that anyone going there may surreptiously become part of their next business venture.


    1. BrianKrebs Post author

      Yep. I actually didn’t mean to keep that link in the post; that was more for my benefit as I was writing this piece. Thanks for the comment.

  3. Matt Walker

    Far too many online criminals have the idea that if they ever get busted they will switch to some high paying security job and the good times will keep rolling. I believe a judge in a recent case even encouraged the defendant to do just that but I feel that approach only serves to encourage them to continue wreaking havoc online. Good on the Panda Security guys for giving them the cold shoulder.

    1. KFritz

      There was an episode of ‘Barney Miller,’ by definition at least 28 years old, about a bank embezzler, who blackmailed the victim bank into hiring him as a consultant. The charges would have difficult to prove, the bank wasn’t clear on the details of the fraud, and hiring him kept the affair quiet.

      Hiring the crooks after the fact ain’t nothin’ new.

  4. xAdmin

    Second chance? Nice way to show you deserve such a thing by attempting to blackmail the organization you’re trying to get a job.

    These guys are just trying to CYA. They should be prosecuted to the full extent possible! And at a minimum should have to endure years cleaning up all the infected computers they caused.

    Then again, may be they just need to be taken behind the proverbial woodshed! 🙁

  5. gf

    Just to add fuel to this (ooooold) discussion, have anyone here ever payed to watch Kevin Mitnick talking about Social Engineering?

    If you did, would you consider you are a conscious citizen helping an ex-convict to get back into a lawfull life, or a fool giving money to someone that built his career upon his past as a crook? I really don’t have an answer for that.

    What I am saying is that the examples that our society gives to the youger – either through a judge’s decision, an extrapolated media coverage or our own acts – still entice them to follow this path.

    1. BrianKrebs Post author

      I don’t know, GF. I read Kevin Mitnick’s first book and found it to be highly interesting and entertaining.

      I’ve also heard world-renowned ex-scammer Frank Abignale speak (at the FBI no less) and was completely floored at how fascinating and funny he was.

      What strikes me as notable is that these guys running Mariposa said they were “hooked” on the game, that they found running the botnet to be “addictive”. I think you’ll get the same response from people who chase these guys for a living, if they’re honest.

      1. gf

        As I said: “just to add fuel”.

        I also read Mitnick’s Art of Deception a long time ago, and it was one of my motivations to keep investing in the InfoSec career.

        I also paid from my own pocket (my employer wouldn’t want to hear about it) to attend his speech back in 2003 here in Brasil. Loved it, learned tons from it and would attend again whenever the chance shows.

  6. secguy

    Panda Security is a joke.

    Those guys don’t do any security research.

    1. L. Davis

      Don’t be bitter Netkairo, I’m sure you’ll eventually get a job as a janitor or flipping burgers (if you’re lucky).

  7. Marcelo R

    These guys are not looking for job, they are extorting for this.

    If they were hired by Panda would be like: “The Wolf Guarding The Chickens”

    And do not think they are going to provide jobs, are showing their cards and they really are still the “dark side.” Today follow me a false @Iuis_corrons in Twitter, which are believed to be the same guys … 😉

    @Brian Very good article as always, I send a greeting and a pleasure to have shared with you the SBS2010 in Spain.


  8. george

    Hmm, from what I can read in the story, Luis Corrons based his assumption that those are the “real” guys on somewhat thin evidence. Just because some places and initials in their alleged CV’s match fragmentary information released by police is hardly solid evidence. Have he seen their ID cards ? I can assume there are more individuals aspiring to this dubious honor of boasting they have run a bot network than real perpetrators. Nevertheless, real or fake individuals, would be a particularly bad idea to offer them jobs having anything to do with computer security.

  9. antihacker101

    there is a chance that these 2 criminals were the ones the main hacker(through windstream using certs to pretend to be microsoft and verison) was training them to use the bot. all the info seems familiar. the PANDA security wasnt the first attempt to join. other sites used to spread out the worm are a subsite of aka BILL, thanks to deleted files on the drive. all the sites linked to the 2000 incoming IPs per hour that started in feb 2009 and kept on for years. there was a linktracker through used with the IPS. that used w3c to get the cookie info with the underlines. i still dont understand the dual band packet injections that my phone system and tower spread to everyone, but i got to talk to microsoft’s chief engineer. was used and i got to see a tree of thousands of linked hacked sites that follow me. it said i was using ICMP type 17. my hub is still altered. but i see less evidence of the hackers anymore. they originall used a yahoo IP till i noticed it in the ICMP, then changed to MSFT. anyways, i could go on forever. there is way more to it such as the ROOT law altered by a unusually higher than normal packets that we were pinging since feb 2009. i suggest it get looked into to see if it falls into the plan of the original hackers.

  10. Ivan

    I had a similar experience several years back (>10). I had to deal with equally disinterested police and equally slippery ‘hacker’ who thought he could get free stuff or a job by trying to bust our network, steal and publicise sensitive data. Even though we knew who he was, there was nothing we could do but be paranoid about security. It all stopped when another unsuspecting ISP came to town – they were running everything on Windows and stood no chance.

  11. eCurmudgeon

    It’s cases like this why I support the notion of requiring licensing of computer-security professionals. This way, miscreants like these two can either be denied said license, or if they had one, get their credentials pulled.

  12. QQ

    The original story stated that these 2 men did not make (programed) the botnet, so it is only a guess what they really know or don’t know. Operating a botnet isn’t much harder than operating Word, It is probably easier especially when the programing part is done by some one else.

    I imagine a security company could use some hackers here and there but not every hacker, possibly bully script kids, fits the security side. Guess these two guys didn’t fit for more than what you can read here.

    Suggesting to keep the botnet past as secret isn’t the best way to present your trustworthiness, and security is about trust.

  13. AlphaCentauri

    It sounds bizarre they would go to a security company with resumes like theirs. But in reality, where else could they hope to get hired? With a history of stealing personal data, raiding bank accounts, and vandalizing computers, there are very few employers who would want them on their premises, let alone pay them to be there. And there are very few jobs, no matter how low-paid, that don’t require some level of trust. If they can’t convince a security company that their criminal experience is marketable, they’re screwed.

  14. LoOoNaTiC

    I fail to see the issue with these two approaching Panda and handing in their CV’s. I think we have all lost touch with the concept of the internet and want it to be something it is not and can never be…that is secure and safe. Just like these kids who are using Bit torrent to download pirated content want it to be anonymous when it simply can never be that way.

    If we can all recall back in the 80’s hackers were around then too. As it turns out there were different types of hackers then to just as there are now. Some of the ‘bad’ became good and some of the good turned ‘bad’. One large difference is how those who are ‘bad’ got treated once they are caught. If you try and throw them into the fire we will never learn from our mistakes. I am not referring to the hackers themselves learning from their mistakes but rather us as the general population and the companies coding and producing software. If we can educate ourselves on how these clearly intelligent people are able to dissect and break into machines on such a large scale then we can in turn improve on our designs.

    One of my biggest fears is the current sub-culture we seem to be creating on a global scale. Those who choose to hack do run the risk of being caught. In our current culture we are NOT encouraging these brilliant minds to try and correct the errors or issues they find in their all-be-it illegal endeavors. Instead we prosecute them and the end result is the general population ends up being at risk.

  15. QQ

    It isn’t exactly a followup story but it does mention that the mariposa operators were unskilled according to Panda.

    Operating many bot net C&C programs doesn’t require any specific computer skills it is merely an interface and the creators could make it very simple to use for various reasons.

    It just confirms my gut feeling about this story that it was just script kids out of touch with reality.

    A funny comparison : adding to your CV your background of having a 5000 friends and an extensive experience in operating Facebook and Myspace as user!.

Comments are closed.