Feeds

Mariposa botnet suspects duo sought jobs at Panda

Er... do you have references?

Using blade systems to cut costs and sharpen efficiencies

Two of the three suspects arrested for allegedly running the infamous Mariposa botnet in February personally applied for jobs with Spanish firm Panda Security, whose researchers helped track them down just a month earlier.

The brazen duo optimistically doorstepped Panda Labs technical director, Luis Corrons, on 22 March, in a hunt for work. The pair (unnamed by Spanish authorities and known only by their nicknames of Netkairo and Ostiator) were suspected, along with other three people in Spain, of running a 12.7 million strong zombie botnet.

Spanish police (Guardia Civil) recovered the personal information on 800,000 people (bank login details and email passwords) on systems confiscated from the suspects, who remain under investigation but are yet to be charged.

Panda Security and Defence Intelligence, in co-operation with the FBI and Spain's Guardia Civil, played a key role in shutting down the botnet and identifying its likely orchestrators before they were arrested by Spanish police in February.

Corrons was therefore more than a little surprised to come face-to-face with two of the suspects, brandishing CVs, on the stairwell of the Bilbao office of Panda's technical labs one day around a month later. Panda's technical guru had been expecting to meet journalists that day, so he wasn't especially that surprised to come across the young, casually dressed and somewhat scruffy pair.

"They said 'Are you Luis Corrons' and I was a bit puzzled who they were. It wasn't until they identified themselves by nickname that I realised it was Ostiator and Netkairo," Corrons told El Reg.

"Initially I was a little bit concerned but they only wanted to talk and give me their resumes."

Corrons had spent much of the preceding two weeks speaking to the media in both Spain and internationally about the Mariposa case. He'd also posted video blog entries explaining his role in the case, a factor which explains how the duo knew him, if not why they thought they might be able to get work from Panda.

"They didn't admit to any wrongdoing during this meeting but said they had some knowledge and experience that might be helpful and asked to come to an agreement," Corrons explained, adding that Ostiator was insistent that the whole Mariposa case had been blown out of proportion and misreported.

The duo said that neither was earning any money and both needed a job. - though not as a programmer. Both said they had no skills in programming.

Corrons initially suspected he might have been the victim of a practical joke, but told the duo he would speak to Panda's management about their CVs rather than casting about for hidden cameras. The security expert quizzed his colleagues and soon discovered, to his surprise, that the meeting was on the level.

Neither Netkairo nor Ostiator have been charged with anything, but continue to be the target of an active investigation about the use of stolen data. Having control of a botnet by itself is not a criminal offence in Spain. None of the suspects is the subject of bail conditions that restrict their use of computers or prevent them approaching Corrons.

Some weeks after the initial meeting, Netkairo (who lives locally, unlike Ostiator) phoned Corrons, and the two arranged to meet in Panda's Bilbao headquarters a second time on 12 April.

"I told him even if they hadn't done Mariposa there was no way we would hire them because they didn't have any of the skills we were looking for," Corrons explained. "He got angry with that and eventually went on to suggest the idea for Mariposa was their idea and that they made the botnet."

After the meeting Netkairo made attempted to make a number of posts to the PandaLabs blog.

When a false Twitter profile using Luis Corrons' avatar but a fake Twitter user ID (Iuis_Corrons, with capital I instead of capital L) surfaced over the weekend, Corrons initially blamed Netkairo. The suspected cybercrook has since denied any part in creating the spoof account, which was quickly deleted by Twitter, as explained in a PandaLabs blog entry here.

Corrons spoke to Spanish police about his unusual contact with suspected botherders before eventually going public over the weekend. Security blogger Krebs on Security was the first to report on the curious meeting of minds.

Our report is based on speaking to Corrons on Tuesday and a draft of a blog entry on the curious meeting, due to be published later this week. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.