Feeds

Mariposa botnet suspects duo sought jobs at Panda

Er... do you have references?

Choosing a cloud hosting partner with confidence

Two of the three suspects arrested for allegedly running the infamous Mariposa botnet in February personally applied for jobs with Spanish firm Panda Security, whose researchers helped track them down just a month earlier.

The brazen duo optimistically doorstepped Panda Labs technical director, Luis Corrons, on 22 March, in a hunt for work. The pair (unnamed by Spanish authorities and known only by their nicknames of Netkairo and Ostiator) were suspected, along with other three people in Spain, of running a 12.7 million strong zombie botnet.

Spanish police (Guardia Civil) recovered the personal information on 800,000 people (bank login details and email passwords) on systems confiscated from the suspects, who remain under investigation but are yet to be charged.

Panda Security and Defence Intelligence, in co-operation with the FBI and Spain's Guardia Civil, played a key role in shutting down the botnet and identifying its likely orchestrators before they were arrested by Spanish police in February.

Corrons was therefore more than a little surprised to come face-to-face with two of the suspects, brandishing CVs, on the stairwell of the Bilbao office of Panda's technical labs one day around a month later. Panda's technical guru had been expecting to meet journalists that day, so he wasn't especially that surprised to come across the young, casually dressed and somewhat scruffy pair.

"They said 'Are you Luis Corrons' and I was a bit puzzled who they were. It wasn't until they identified themselves by nickname that I realised it was Ostiator and Netkairo," Corrons told El Reg.

"Initially I was a little bit concerned but they only wanted to talk and give me their resumes."

Corrons had spent much of the preceding two weeks speaking to the media in both Spain and internationally about the Mariposa case. He'd also posted video blog entries explaining his role in the case, a factor which explains how the duo knew him, if not why they thought they might be able to get work from Panda.

"They didn't admit to any wrongdoing during this meeting but said they had some knowledge and experience that might be helpful and asked to come to an agreement," Corrons explained, adding that Ostiator was insistent that the whole Mariposa case had been blown out of proportion and misreported.

The duo said that neither was earning any money and both needed a job. - though not as a programmer. Both said they had no skills in programming.

Corrons initially suspected he might have been the victim of a practical joke, but told the duo he would speak to Panda's management about their CVs rather than casting about for hidden cameras. The security expert quizzed his colleagues and soon discovered, to his surprise, that the meeting was on the level.

Neither Netkairo nor Ostiator have been charged with anything, but continue to be the target of an active investigation about the use of stolen data. Having control of a botnet by itself is not a criminal offence in Spain. None of the suspects is the subject of bail conditions that restrict their use of computers or prevent them approaching Corrons.

Some weeks after the initial meeting, Netkairo (who lives locally, unlike Ostiator) phoned Corrons, and the two arranged to meet in Panda's Bilbao headquarters a second time on 12 April.

"I told him even if they hadn't done Mariposa there was no way we would hire them because they didn't have any of the skills we were looking for," Corrons explained. "He got angry with that and eventually went on to suggest the idea for Mariposa was their idea and that they made the botnet."

After the meeting Netkairo made attempted to make a number of posts to the PandaLabs blog.

When a false Twitter profile using Luis Corrons' avatar but a fake Twitter user ID (Iuis_Corrons, with capital I instead of capital L) surfaced over the weekend, Corrons initially blamed Netkairo. The suspected cybercrook has since denied any part in creating the spoof account, which was quickly deleted by Twitter, as explained in a PandaLabs blog entry here.

Corrons spoke to Spanish police about his unusual contact with suspected botherders before eventually going public over the weekend. Security blogger Krebs on Security was the first to report on the curious meeting of minds.

Our report is based on speaking to Corrons on Tuesday and a draft of a blog entry on the curious meeting, due to be published later this week. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.