July 28, 2010

Police in Slovenia have arrested a 23-year-old man in Maribor believed to be responsible for creating the Mariposa botnet, a collection of hacked PCs that spanned an estimated 12 million computers across the globe, according to reports.

The Associated Press cites FBI officials in Washington, D.C. stating that authorities had arrested “Iserdo,” the nickname used by the hacker alleged to have created Mariposa, a botnet that first surfaced in December 2008 and grew to infect more than half of the Fortune 1,000 companies, as well as at least 40 major banks.

Earlier this year, police in Spain arrested three of Iserdo’s associates, who allegedly used the Mariposa botnet to steal credit card accounts and online banking credentials.

The AP story doesn’t identify Iserdo, saying officials declined to release his name and the exact charges filed against him, but says that the arrest took place about 10 days ago, and that the man has been released on bond.

According to information obtained by KrebsOnSecurity.com, Iserdo’s real name is Dejan Janžekovic. Local Slovenian press reports at the time of his arrest said Iserdo was a former student at the Maribor Faculty of Computer and Information Science, but that information could not be independently confirmed.

Individuals close to the case say Janžekovic charged a few hundred dollars for each copy of the bot kit, and that sales frequently were handled by a former classmate who accepted Western Union transfers on his behalf. According to two sources, one of those who helped with the transactions was a 24-year-old woman named Nuša Čoh, pictured here in her high school photo.

Neither Janžekovic nor Čoh could be immediately reached for comment.

Update, July 29, 4:45 p.m: Janzekovic appears only to have been a person of interest in this investigation, according to a law enforcement official I spoke with today. Also, I heard back from Janzekovic himself, who acknowledged having been investigated by the FBI and Slovenian police in connection with Mariposa, and taken in to the police station for questioning. But he said he is not Iserdo, and that the authorities somehow had him mixed up with someone else. From his e-mail to me:

“I am 23 years old (the picture you found is very outdated). I am single, I work as a senior systems administrator for a telco in Slovenia. Fact is that I love technology, I love life (even though the past two weeks it was hell on earth for me), but most of all – I am innocent. Yes, you read right, innocent. I am smarter than this and such things do interest me only from the technological point, as in how to protect against them.

Oh, not to forget, my net nick was and will never be Iserdo.

It is true, that I had the FBI and Slovenian police investigating me but it is also true, that I had nothing to hide. During the investigation I was very cooperative with authorities – I even gave them password for my encrypted partitions. What was the lead to me? It had to be some kind of mix-up and/or identity theft – the only person known to me in this whole story is the girl who I went to school with (as you have already found out).

Neither of authorities did explain to me how they came to conclusion that I was iserdo. I strongly believe the case was identity theft (obviously someone who knew enough about me, to know that I would easily fit in the case) and/or connection through Nusa. And believe me, it was also to my great surprise, when they woke me up at 6 a.m. to search my home on basis of me selling some ‘nasty code’.

But know this – I do not know any technical details about the botnet, program or anything about the criminal backgrounds as I have never seen it or worked with it.”

Original story:

Janžekovic and Čoh, circled, from a class photo.

Authorities in Spain and Slovenia were aided in their sleuthing by the “Mariposa Working Group,” a collection of security companies and experts that infiltrated the botnet late last year and ultimately wrested control of it away from criminals who had purchased access to the network.

Christopher Davis,  chief executive of working group member Defence Intelligence, said his team tracked just under 700 Web site domains being used to control portions of the Mariposa botnet, suggesting that Iserdo sold hundreds of copies of the bot kit, at hundreds of dollars per kit.

Davis said Iserdo’s creation used an advanced, custom-made communications protocol designed to slip in and out of firewalls unnoticed, and that communication between systems infected with the butterfly bot and its corresponding control Web site was obfuscated by using a homegrown encryption technology.

“It’s a complicated kit he built,” Davis said. “We’re pretty good at breaking crypto, and it took us at least three days to break the cryptography around this bot, when it normally takes us an hour or so.”

Davis praised the arrests, saying it was unusual because normally it is the individuals who are using and buying the bots that are apprehended, not the bot authors themselves. Still, he said, he hopes authorities can use the information to round up the various Mariposa botnet operators.

“We need to go after all of them – the people who write the code, the people who sell it, the people who distribute it, even the money mules they use to convert stolen credit cards and banking credentials into cash,” Davis said.

27 thoughts on “Alleged Mariposa Botnet Author Nabbed

  1. TJ

    Once again, Brian, you seem to have scooped the mainstream media hordes by actually naming the Mariposa botnet author.

    After reading this article, I entered the name Dejan Janžekovic into Google News, searching – past hour, day, week and month – and absolutely nothing came up.

    However, when I did a simple Google Web search, this KrebsonSecurity.com report was the very top and most relevant return. Well done!

  2. Time ST

    Security companies like Defence Intelligence and Panda Security has made a great job collaborating with authorities.

    Will we see a future in which security companies and the state intelligence work closely?

    1. Ben

      I don’t really see another option for them. The State Agencies need the asistance of the companies, and vice versa. I think we’ll see more and more cooperation between private security firms and state agencies, as it seems to be mutually beneficial.

  3. Jonathon

    I would love to hear more about this “advanced, custom-made communications protocol designed to slip in and out of firewalls unnoticed.”

    1. BrianKrebs Post author

      It was UDP-based (port 53), and it so took advantage of the same port used by domain name system (DNS) lookups. DNS lookups are generated whenever anyone on a network types in a web site name into a browser. So, port 53 traffic is almost universally allowed to traverse firewalls, as blocking it would more or less break the Web.

      1. greg

        Hi Brian
        I think in most cases the admins are setting their firewalls as you said, wide open to UDP/53. But they could restrict it a bit more, in such a way that the web access will still work while the bot communication would not. A local client will make the DNS request to its primary or secondary DNS and if this does not have the answer, will fetch it from a higher level DNS. If the firewall rules will specify the company DNS servers IP addresses as the only ones who can receive UDP/53 traffic (DNS requests from clients), and the only ones who can make requests and receive responses to/from DNS server outside local domain, the bot traffic would be hindered (I hope). Are my assumptions correct ?

  4. Dan

    Iserdo big idiot , you should use WMZ not WU with info of your girl friend , i adviced you alot 🙂

  5. DC

    Hi Brian

    This story is half true as i know Dejan (co-worker) and he is innocent and has nothing to do with the whole thing.

    He is a smart guy (recommend his as a cooworker), he had the feds on his back and a lot of unwanted press lately which spread like fire. All as a result of misleadings which one of the daly papers (Večer) also wrote a week ago.

    For fact, he is not Iserdo. So try to find out who Iserdo really is – Btw, tommorow there will be a press conference in Maribor given by the police authorities 😉



    1. MBP

      Hi Brian, Hi DC!

      Of course, Dejan has nothing to do with this all thing. But it was some how connected with this. I assume that reason is in Nuša Čoh and that they both class mates in high school. On Dejan’s bad luck, he is great computer expert and magic circle is completed.


  6. HR

    I don’t like the giving name of a human here. It’s not ethic. Even he is a criminal you don’t have right to announce his name. It’s against human rights.
    If i was him, i would give you to court for releasing my name as a criminal.
    What will you do if someone announce your name as a criminal in his blog? Will you just send an email and wait people to remove your name from their blogs? Will you multiply this action hundreds of time?

    1. Helly

      Not sure where your coming from here. About half the article is a quote from the individual in question providing an explanation as to why he is innocent. You won’t get a more fair reading of the story anywhere else I would wager. Its certainly not an ethical or human rights issue in any sense of those words. And if he is a malware author, this is exactly the exposure he deserves.

    2. Jim

      Hmmmmmmmmmmmmmmmm..reads like HR is part of the problem. Just maybe HR is near the end of shelf- life as a malicious script/code author.

  7. reader

    The guy on the right (with funky glasses) looks suspicious.

    1. abcd

      Globus only wrote that he is one of the suspect and that his name is the only name that is known to public -they didn’t write that he was Iserdo.

      1. abcd

        oh yeah … and the globus photo … they got it wrong … Dejan is not on that photo … i know both persons that that are on that photo.

      2. LC

        You are right. Brian was not first to post the name, but he was first to name Janžekovič as Isredo. In Globus, he was named – “not as the leader of the group, but as the smartest”.

        Story in the paper edition is much longer and contains fictional and romanced description of events, all related to the details certainly not available to the press (including, but not limited to, dialogues between hackers, hackers naming the net as Mariposa and one of three Spanish hackers being a seductive female – hope Brian will post her swimsuit photos 🙂

        All is spiced with a lot of inaccurate information, mistakes and misunderstanding of the whole case.

        The saddest point is that it seems Globus journalists really paid a visit to Maribor and still were unable to make contact and talk to the suspects.

  8. janez

    Dear Brian, you should be aware that you are quoting a press article from a newspaper which is considered as yellow press here in Slovenia (it is a daily newspaper that regularly reports about people meeting aliens and such extraordinary bullshit news). Well the more spectacular the article the better, all in the name of good ratings… The serious press here is just now beginning to mention someone else as being Iserdo, and even now only by his initials (everybody is presumed innocent until convicted in the court of law).

    So I hope Dejan will get a good lawyer and will be able to cash in some money out of this situation because ruining an innocent person’s life should not remain unpunished.

Comments are closed.