July 04, 2011, 9:25 AM — Conspicuous spending -- not technical sleuthing -- unearthed what may be the largest login-stealing botnet yet known, according to one expert working on the case.
One of the suspected masters of the Metulji botnet drew the attention of authorities because he owned a luxury apartment and two expensive cars but had no apparent means to afford them, says Karim Hijazi, CEO of Unveillance, a security firm working to dismantle the botnet.
Rather than keeping a low profile, accused botmasters in Bosnia and Slovenia attracted attention by flaunting wealth. "They got noisy with what they were doing," Hijazi says.
Some domains used by the botnet for command and control servers were readily discovered because the same individuals used their real names, addresses and phone numbers to register them, he says.
The botnet will be difficult to take down because the two men charged registered the domains in Russia and China, two notoriously unresponsive countries when it comes to enlisting help to block domains, Hijazi says. "This is going to be difficult. They're less than scrupulous about enforcing use policies," he says.
Meanwhile, Unveillance and Panda Security are trying to figure out the exact size of the botnet and how to shut it down. So far they've identified calling domains in 172 countries, and given the resilience of the bot, they are convinced Metulji must control millions of machines.
Despite taking down servers linked to the two suspects, the bot is still propagating, possibly by itself but possibly through others who have access to the same code, Hijazi says.
One hope is extracting license keys from seized servers to see who else has bought the botkits used to set up the botnet and trace them. Metulji is based on the Butterfly Botkit, which is the same software used to set up the Mariposa botnet, which ensnared 8 million to 12 million machines.
Researchers have identified more than 2,000 variants of Metulji binary code. "It's pretty seriously resilient against traditional antivirus and blocking and stopping tools," Hijazi says.
Removing it is a manual job that isn't easy, he says, and if not done properly allows the malware to reinstall itself. "There's no updating your antivirus and getting Butterfly Bot off your computer," he says.
Metulji managed to stay undetected for a long time, with some versions of it going back to 2007. The botnet talks via UDP, which is not typically monitored by firewalls. It also employed RapidShare for distributing updates, Hijazi says.