March 5, 2010 - Linda McGlasson

Earlier this week, when Spanish authorities announced that they had dismantled a network of up to 12.7 million virus-infected, data-stealing computers around the world, the full strength of the botnet came to light.

The Mariposa "botnet" (Mariposa means butterfly in Spanish) of infected computers included PCs inside more than half of the Fortune 1000 companies and more than 40 major banks, police said. The tainted computers stole credit card numbers and online banking credentials. This botnet spread to more than 190 countries, and appears to researchers to be far more sophisticated than the botnet that was used to hack into Google and other companies earlier this year.

Botnets pose a real, tangible threat to government networks, private networks and, most especially, financial institution networks

Botnets have been around for awhile and pose a real, tangible threat to government networks, private networks and, most especially, financial institution networks. In an interview I did back in 2007 with Rhonda MacLean, former GISO at Barclays and former CISO at Bank of America, she expressed concern and saw the implications of a real, concerted, attack by a botnet against the financial services industry here in the U.S. It already happened to a major financial institution in Australia back in 2006, where the bank's entire network was unavailable for several days due to a distributed denial of service attack.

There are an estimated 4,000 to 6,000 botnets operating today, and Mariposa was the biggest one ever brought down, according to Jose Antonio Berrocal, head of Spain's Civil Guard economic and technological crimes unit.

The Mariposa botnet first appeared in December 2008 and grew into what researchers are calling one of the biggest weapons of cybercrime. Apparently the three hackers who stole bank details from computers across the globe didn't realize the power of the illegal network they had created from malicious software they bought on the black market. So this means the creator of the most powerful botnet is still out there. In the press conference, few details were available about how much money was taken by the botnet, or the names of the companies and banks that had compromised computers on the botnet.

Police believe the three men aren't expert hackers, but the botnet they created was powerful enough to paralyze an entire country's computer systems. That one statement there should make everyone stop and think, hard. The real target that institutions should be worried about is their customers' computers, where botnets not only take over the computer, but also hone in to launch malware, like the Zeus Trojan that steals online banking credentials.

Even more troubling news that came on the heels of this was the finding from scientists at the University of Central Florida, who say bot herders control these faceless armies of zombie PCs, and now they're able to avoid honeypots. Why is this important? Because honeypots, which are unprotected computers that are rigged with monitoring software and sit inside the botnets, are the way security firms are able to monitor and catch the botnets and their masters.

The problem is that the security firms that track the botnets through honeypots have their hands tied, ethically speaking, because they don't allow the honeypot PCs to be used to spew spam or be used in attacks to get more victims. The scientists say the bot masters monitor such instructions, and then program command and control servers to disable or ignore these machines, thus depriving the security firms of vital intelligence in how zombie botnets are operating in the real world. The good news is those same scientists say they are working on techniques to make stealthier honeypot traps to trick bot herders. Their preliminary findings were in a recent edition of the International Journal of Information and ComputerSecurity.

Keep in mind there are another 4000 to 6000 botnets still out there attacking and taking over your customers' computers, the computers on the networks of your vendors, and yes, as Mariposa proved, even the computers sitting on your institution's network.