Dutch police, FBI rein in large botnet

The botnet created by a teenager who was arrested by Dutch police in a sting operation is most notable for its total reliance on social engineering to spread, computer security experts said Thursday.

The 19-year-old Dutch man was caught July 29 with his 16-year-old brother trying to sell a botnet to a 35-year-old Brazilian man, according to Dutch prosecutors. All were arrested by the Dutch High-Tech Crime Unit, with assistance from the U.S. Federal Bureau of Investigation.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

As is customary in the Netherlands, Dutch police have not released the names of those arrested. Few other details, such as how authorities became cued into the case, have been released. U.S. authorities are seeking the extradition of the Brazilian man.

But experts from Russian security vendor Kaspersky Lab were called on by Dutch police to write up instructions for how to remove the botnet code from infected PCs, as well as aid in the continuing investigation, said Eddy Willems, one of Kaspersky's security evangelists.

A botnet is a group of PCs that is infected with malicious code and controlled by a hacker. This particular botnet, which at one time had as many as 150,000 machines worldwide, is called "Shadow," the name bestowed on it by its creator.

The code that enabled Shadow to work was distributed on Microsoft's Windows Live Messenger instant messaging network. Victims would typically get a message from someone who appeared to be one of their contacts. The message would contain a link to another Web site, where the victim was asked to download a file.

If the file was executed on a PC, Shadow would collect other instant messaging contacts and send out more messages trying to enlarge the botnet. It appeared that Shadow was particularly successful in the Netherlands, since some messages were sent out in Dutch.

The distribution method relied entirely on victims willingly downloading the code rather than trying to exploit a software vulnerability, which could result in an infection regardless of what the user does.

It means that Internet surfers are just as susceptible to fall victim to scammy tricks. "Social engineering seems just as effective as it was 10 years ago," said Roel Schouwenberg, senior antivirus researcher.

Shadow could also download other malicious code and may have been used to download advertising software and spyware programs, Schouwenberg said. The teenager who created Shadow appears to use bits of malware code already circulating on the Internet, as well writing his own code.

The result was a fairly run-of-the-mill botnet, but one that could be considered large, Willems said. When the bust occurred, the 19-year-old was attempting to sell the botnet for €25,000 ($37,290), a price Willems said is way too high in proportion to how botnets are currently priced.

People who control a group of computers, called botnet herders, have been known to rent time to other scammers, who use the computers to send spam or conduct other malicious activity. The use of remote computers helps disguise who is actually using those machines to carry out crime.

Dutch prosecutors could not immediately be reached for comment.