Feeds

Mariposa botnet suspects duo sought jobs at Panda

Er... do you have references?

Top 5 reasons to deploy VMware with Tegile

Two of the three suspects arrested for allegedly running the infamous Mariposa botnet in February personally applied for jobs with Spanish firm Panda Security, whose researchers helped track them down just a month earlier.

The brazen duo optimistically doorstepped Panda Labs technical director, Luis Corrons, on 22 March, in a hunt for work. The pair (unnamed by Spanish authorities and known only by their nicknames of Netkairo and Ostiator) were suspected, along with other three people in Spain, of running a 12.7 million strong zombie botnet.

Spanish police (Guardia Civil) recovered the personal information on 800,000 people (bank login details and email passwords) on systems confiscated from the suspects, who remain under investigation but are yet to be charged.

Panda Security and Defence Intelligence, in co-operation with the FBI and Spain's Guardia Civil, played a key role in shutting down the botnet and identifying its likely orchestrators before they were arrested by Spanish police in February.

Corrons was therefore more than a little surprised to come face-to-face with two of the suspects, brandishing CVs, on the stairwell of the Bilbao office of Panda's technical labs one day around a month later. Panda's technical guru had been expecting to meet journalists that day, so he wasn't especially that surprised to come across the young, casually dressed and somewhat scruffy pair.

"They said 'Are you Luis Corrons' and I was a bit puzzled who they were. It wasn't until they identified themselves by nickname that I realised it was Ostiator and Netkairo," Corrons told El Reg.

"Initially I was a little bit concerned but they only wanted to talk and give me their resumes."

Corrons had spent much of the preceding two weeks speaking to the media in both Spain and internationally about the Mariposa case. He'd also posted video blog entries explaining his role in the case, a factor which explains how the duo knew him, if not why they thought they might be able to get work from Panda.

"They didn't admit to any wrongdoing during this meeting but said they had some knowledge and experience that might be helpful and asked to come to an agreement," Corrons explained, adding that Ostiator was insistent that the whole Mariposa case had been blown out of proportion and misreported.

The duo said that neither was earning any money and both needed a job. - though not as a programmer. Both said they had no skills in programming.

Corrons initially suspected he might have been the victim of a practical joke, but told the duo he would speak to Panda's management about their CVs rather than casting about for hidden cameras. The security expert quizzed his colleagues and soon discovered, to his surprise, that the meeting was on the level.

Neither Netkairo nor Ostiator have been charged with anything, but continue to be the target of an active investigation about the use of stolen data. Having control of a botnet by itself is not a criminal offence in Spain. None of the suspects is the subject of bail conditions that restrict their use of computers or prevent them approaching Corrons.

Some weeks after the initial meeting, Netkairo (who lives locally, unlike Ostiator) phoned Corrons, and the two arranged to meet in Panda's Bilbao headquarters a second time on 12 April.

"I told him even if they hadn't done Mariposa there was no way we would hire them because they didn't have any of the skills we were looking for," Corrons explained. "He got angry with that and eventually went on to suggest the idea for Mariposa was their idea and that they made the botnet."

After the meeting Netkairo made attempted to make a number of posts to the PandaLabs blog.

When a false Twitter profile using Luis Corrons' avatar but a fake Twitter user ID (Iuis_Corrons, with capital I instead of capital L) surfaced over the weekend, Corrons initially blamed Netkairo. The suspected cybercrook has since denied any part in creating the spoof account, which was quickly deleted by Twitter, as explained in a PandaLabs blog entry here.

Corrons spoke to Spanish police about his unusual contact with suspected botherders before eventually going public over the weekend. Security blogger Krebs on Security was the first to report on the curious meeting of minds.

Our report is based on speaking to Corrons on Tuesday and a draft of a blog entry on the curious meeting, due to be published later this week. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.