Internet giant, Facebook, has been movingly slowly towards the takedown of botnets and other malicious spam activity. This time we are not reporting on Facebook violating our privacy, but instead, Facebook has deliberately taken down a reasonably sized botnet.
July 3rd, two men were apprehended in Greece in coloration with the Lecpetex botnet. The alleged harvesters infected more than a 250,000 computers with the malware, and used it to steal Facebook and other credentials from the victims computers as well as installing a Litecoin mining software, Facebook and Greek authorities reported.
Facebook’s takedown of the Lecpetex botnet is quite small and not as drastic as Microsoft’s recent No-IP domain seizure, but is infact important as it shows large technology companies are showing interest cybercrime operations regarding their respected platforms.
“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” Facebook said in a statement that also recognized the cooperation of the Cybercrime Subdivision of the Greek Police. “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”
Facebook reported during the peak of Lecpetex, the malware had control of over 50,000 accounts simultaneously and had plans to keep it up and running. The attackers pushed out more than twenty different spam campaigns in a seven month period ending in June, and constantly obfuscated the malware keeping it fully undetectable (FUD) or undetectable by antiviruses.
“Over the last seven months we saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB),” Facebook said in its official statement. “The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection.”
Most victims found infected were from Greece, alongside were victims from India, Norway, Poland, Portugal, and the United States. The attackers used social engineering tactics to trick users into opening a faulty .zip file attached in a spam message. When opened, the attachment would execute a java archive, or JAR file, which proceeded to download the main Lecpetex module from a file-sharing service. From there, the module proceeds to inject into Windows Explorer, Facebook reported. The module reaches out to various command-and-control (C&C) IP addresses for continuous updates as well as the spamming module, LiteCoin mining malware and versions of the DarkComet remote access Trojan (RAT).
Facebook said the spam module is what initiates the account hijacking, stealing the Facebook account by stealing browser cookies and its friend list to send friends private messages with the malicious .zip attachment.
“Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems,” Facebook said. “We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”
Facebook reports that they started to detect an increase and spam moving to the social network starting in December. This led to a chain of events that led to the take down of a number of command and control servers, distribution, test and monetization accounts. By the time the take downs occurred, Greek law enforcement was involved, attackers then began moving command and control to disposable emails and Pastebins, Facebook said. The malware authors then began leaving vulgar messages inside command and control sites and inside the malware for the authorities.
Facebook said that the attackers had begun shifting off Facebook and starting to utilize mass emailing, but two men were apprehended July 3rd.
The two men arrested were reported to be “students of informatics”, one 31-year-old and another 27-year-old. A Greek news report states the cyber-criminals had not only hijacked Facebook credentials, but were also hijacking online banking and PayPal passwords along with the email password belonging to the country’s Ministry of Mercantile Marine. The report states that the Lecpetex botnet takedown was the biggest case that Greece’s Cyber Crime Unit has handled.