Feeds

Mariposa botnet suspects duo sought jobs at Panda

Er... do you have references?

Security for virtualized datacentres

Two of the three suspects arrested for allegedly running the infamous Mariposa botnet in February personally applied for jobs with Spanish firm Panda Security, whose researchers helped track them down just a month earlier.

The brazen duo optimistically doorstepped Panda Labs technical director, Luis Corrons, on 22 March, in a hunt for work. The pair (unnamed by Spanish authorities and known only by their nicknames of Netkairo and Ostiator) were suspected, along with other three people in Spain, of running a 12.7 million strong zombie botnet.

Spanish police (Guardia Civil) recovered the personal information on 800,000 people (bank login details and email passwords) on systems confiscated from the suspects, who remain under investigation but are yet to be charged.

Panda Security and Defence Intelligence, in co-operation with the FBI and Spain's Guardia Civil, played a key role in shutting down the botnet and identifying its likely orchestrators before they were arrested by Spanish police in February.

Corrons was therefore more than a little surprised to come face-to-face with two of the suspects, brandishing CVs, on the stairwell of the Bilbao office of Panda's technical labs one day around a month later. Panda's technical guru had been expecting to meet journalists that day, so he wasn't especially that surprised to come across the young, casually dressed and somewhat scruffy pair.

"They said 'Are you Luis Corrons' and I was a bit puzzled who they were. It wasn't until they identified themselves by nickname that I realised it was Ostiator and Netkairo," Corrons told El Reg.

"Initially I was a little bit concerned but they only wanted to talk and give me their resumes."

Corrons had spent much of the preceding two weeks speaking to the media in both Spain and internationally about the Mariposa case. He'd also posted video blog entries explaining his role in the case, a factor which explains how the duo knew him, if not why they thought they might be able to get work from Panda.

"They didn't admit to any wrongdoing during this meeting but said they had some knowledge and experience that might be helpful and asked to come to an agreement," Corrons explained, adding that Ostiator was insistent that the whole Mariposa case had been blown out of proportion and misreported.

The duo said that neither was earning any money and both needed a job. - though not as a programmer. Both said they had no skills in programming.

Corrons initially suspected he might have been the victim of a practical joke, but told the duo he would speak to Panda's management about their CVs rather than casting about for hidden cameras. The security expert quizzed his colleagues and soon discovered, to his surprise, that the meeting was on the level.

Neither Netkairo nor Ostiator have been charged with anything, but continue to be the target of an active investigation about the use of stolen data. Having control of a botnet by itself is not a criminal offence in Spain. None of the suspects is the subject of bail conditions that restrict their use of computers or prevent them approaching Corrons.

Some weeks after the initial meeting, Netkairo (who lives locally, unlike Ostiator) phoned Corrons, and the two arranged to meet in Panda's Bilbao headquarters a second time on 12 April.

"I told him even if they hadn't done Mariposa there was no way we would hire them because they didn't have any of the skills we were looking for," Corrons explained. "He got angry with that and eventually went on to suggest the idea for Mariposa was their idea and that they made the botnet."

After the meeting Netkairo made attempted to make a number of posts to the PandaLabs blog.

When a false Twitter profile using Luis Corrons' avatar but a fake Twitter user ID (Iuis_Corrons, with capital I instead of capital L) surfaced over the weekend, Corrons initially blamed Netkairo. The suspected cybercrook has since denied any part in creating the spoof account, which was quickly deleted by Twitter, as explained in a PandaLabs blog entry here.

Corrons spoke to Spanish police about his unusual contact with suspected botherders before eventually going public over the weekend. Security blogger Krebs on Security was the first to report on the curious meeting of minds.

Our report is based on speaking to Corrons on Tuesday and a draft of a blog entry on the curious meeting, due to be published later this week. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.