tumblr hit counter

Mariposa: the Slovenian story

Sep 1

Some weeks ago it was announced that the Slovenian police had arrested some individuals who were responsible for selling the bot that was used to build the Mariposa botnet, whose creators were also arrested in Spain last March. Many confusing news have appeared since then, but thanks to Peter Lovšin, who has been really helpful, we could put some order in this mess and shed some light on it again.

After the arrests in Slovenia, the police gave a press conference, where they disclosed some information. They had done seven house searches, in which they confiscated 75 pieces of computer equipment (computers, hard disks, etc.) They confirmed that they detained (police detention in Slovenia is maximum 48 hours) 2 suspects, 23 and 24 years old. After that they were released, but the investigation is still ongoing. One of the arrested, police confirmed, is suspected to be the author of the malicious software (ButterflyBot), with which the Mariposa botnet was created. They confirmed they are investigating 2 felonies:

  • Creation of tools that enable computer crime.
  • Money laundering.

There is some more information, not confirmed by the Slovenian police, but that the media found out: the 23 year old guy is supposed to be Iserdo, the main head, and in the real life is known as Matjaz Skorjanc from Maribor, Slovenia. He is a failed medicine student, whose father owns a small company near Maribor that works on sales and development of electronic devices. It turns out that his alias, Iserdo, spelled backwards is Odresi, which means “redeem” in Slovenian language.

The 24 year old is supposed to be a girl, Nusa Coh, also from Maribor, and whose IRC nickname is L0La. It seems that at least some of the money that Iserdo was making by selling the bot was being paid to Nusa Coh, though maybe she didn’t know how Iserdo was making that money. She was receiving Western Union money transfers from different people, such as Netkairo, the owner of the Mariposa botnet.

(If you want to know why criminals are always using Western Union you should read this blog post I wrote some months ago.)

During the investigation, another name came out, Dejan Janzekovic, 24 years old. He is also from Maribor and works as a system administrator in “Amis”, a Slovenian telecommunication company and ISP (Internet Service Provider.) He was wrongly identified as Iserdo by some media, but he was never arrested. He contacted the media and told his story, the police was also at his house but it seems he is more a victim, as he was not even arrested. The investigators connected him with the story because he was in the same class as Nusa Coh (L0La) in his high school (2nd gymnasium Maribor). Dejan said that he has not been in contact with her for ages, and that the real Iserdo was sometimes using his picture as his identification.

The week Iserdo and L0La were arrested, the website used to advertise and sell butterfly bot was taken down. As you probably remember, I showed you some screenshots of that web site I took some months ago. However, a week later it came back online, so I could take some updated screenshots for you:

Butterfly Network Solutions

Butterfly Network Solutions 3

A few days later the Slovenian CERT (SI-CERT) contacted the company hosting the page (West Hosting corp.) It seems that they were willing to cooperate, as it’s been down since then.

Not all are good news. As far as I know, both Netkairo and Ostiator, the guys behind Mariposa, have not been charged yet and they are as free as a bird. If you even wonder how Netkairo looks like, I’ve found that his Facebook account is public, so you can check his picture here. This is a comment he published when the Slovenian arrests took place:

Netkairo

It’s a modification of a colloquial expression in Spanish (“Dios los cria y ellos se juntan”) meaning that people who think or are alike get together, but he’s changed the phrase to end “and the police pile them up”.

Anyway, I hope more good news can be announced in the near future, as Iserdo sold hundreds of bots, which translates into hundreds of botnets that can be taken down. This is the way to end with the cybercrime: show no mercy and haunt them until the end.

Some weeks ago it was announced that the Slovenian police had arrested some individuals who were responsible for selling the bot that was used to build the Mariposa botnet, whose creators were also arrested in Spain last March. Many confusing news have appeared since then, but thanks to Peter Lovšin, who has been really helpful, we could put some order in this mess and shed some light on it again.

After the arrests in Slovenia, the police gave a press conference, where they disclosed some information. They had done seven house searches, in which they confiscated 75 pieces of computer equipment (computers, hard disks, etc.) They confirmed that they detained (police detention in Slovenia is maximum 48 hours) 2 suspects, 23 and 24 years old. After that they were released, but the investigation is still ongoing. One of the arrested, police confirmed, is suspected to be the author of the malicious software (ButterflyBot), with which the Mariposa botnet was created. They confirmed they are investigating 2 felonies:

- Creation of tools that enable computer crime.

- Money laundering.

There is some more information, not confirmed by the Slovenian police, but that the media found out: the 23 year old guy is supposed to be Iserdo, the main head, and in the real life is known as Matjaz Skorjanc from Maribor, Slovenia. He is a failed medicine student, whose father owns a small company near Maribor that works on sales and development of electronic devices. It turns out that his alias, Iserdo, spelled backwards is Odresi, which means “redeem” in Slovenian language.

The week Iserdo and L0La were arrested, the website used to advertise and sell butterfly bot was taken down. As you probably remember, I showed you some screenshots of that web site I took some months ago (http://pandalabs.pandasecurity.com/shedding-some-light-on-mariposa/)  However, a week later it came back online, so I could take some updated screenshots for you:

A few days later the Slovenian CERT (SI-CERT) contacted the company hosting the page

(West Hosting corp.) It seems that they were willing to cooperate, as it’s been down since then.

Not all are good news. As far as I know, both Netkairo and Ostiator, the guys behind Mariposa, have not been charged yet and they are as free as a bird. If you even wonder how Netkairo looks like, I’ve found that his Facebook account is public, so you can check his picture here (http://www.facebook.com/profile.php?id=679332704&v=wall)

Anyway, I hope more good news can be announced in the near future, as Iserdo sold hundreds of bots, which translates into hundreds of botnets that can be taken down. This is the way to end with the cybercrime: show no mercy and haunt them until the end.

Post to Twitter

  • (0) Comments

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories