Darknet Diaries - 94: Mariposa
Episode Date: June 8, 2021Chris Davis has been stopping IT security threats for decades. He’s currently running the company Hyas that he started. In this episode he tells a few tales of some threats that he helpe...d stop.SponsorsSupport for this show comes from Exabeam. Exabeam lets security teams see what traditional tools can’t, with automated threat detection and triage, complete visibility across the entire IT environment and advanced behavioral analytics that distinguishes real threats from perceived ones, so security teams stay ahead and businesses keep moving — without fear of the unknown. Learn more by visiting exabeam.com/dd.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.View all active sponsors.Sources https://www.zdnet.com/article/hacker-curador-pleads-guilty-to-credit-card-theft/ https://www.pbs.org/wgbh/pages/frontline/shows/hackers/ https://archive.org/details/frontline_202009/Frontline-+Hackers/VIDEO_TS/VTS_01_1.VOB https://defintel.com/docs/Mariposa_Analysis.pdf https://krebsonsecurity.com/2020/03/french-firms-rocked-by-kasbah-hacker/
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
I was talking with some online criminals the other day,
which I guess I talk to criminals a lot.
That's kind of weird.
But someone told me a story that really put me in deep thought.
Okay, so the story goes, and I have no way of confirming this is true,
but this guy swears it's true.
He told me that he knows this guy, an online scammer, hacker, criminal guy,
who was caught and arrested in 2016.
Now, at that time, Bitcoin was just worth
$600 per coin. The police seized everything from this guy, his computers, his phones, all electronics,
CDs, thumb drives, everything. But they didn't take his notebook. And in that notebook was the
private key to his Bitcoin wallet. He was able to stash it in a safe place before going to prison.
Currently, he's still in prison,
and Bitcoin has risen above $30,000 per coin.
This guy's wallet has 18 Bitcoins in it.
He's due to get out next year,
and the police still don't know about his hidden Bitcoin.
It was only worth $10,000 when he got arrested.
But today, it's worth almost a million dollars.
All he'll need to do to get that Bitcoin is to find the private key in that notebook he wrote down five years ago.
And that's such a trip for me to think about.
A criminal losing everything, starting from scratch.
But the day he walks out of jail, he'll be a millionaire.
All because he was able to hold on to that Bitcoin the whole time.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my
name and gave me reports on what they found. And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete.me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to join delete me.com slash dark net diaries and enter code dark net at checkout.
That's join delete me.com slash dark net diaries. Use code dark net.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security
training. You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Today we hear a story from Chris Davis.
And like many people in this podcast, his story starts out in high school.
It's funny. I actually didn't finish high school, which is a bit weird. I kind of dropped out in
grade 11. I moved out on my own. And, you know, I started picking up kind of odd jobs working on
people's computers and pulling cable through ceilings and stuff like that to network small
offices.
And that sort of turned into a career path for me.
Chris grew up in Canada, and his home life was rough.
He ventured out on his own at a young age, and he somehow was able to get by.
And at the same time, he loved computers and learning about protocols and coding and operating
systems and networks.
I went from that to a lot of contract work.
I ended up with a contract working for the federal government,
which turned into a bigger job working for the federal government in Canada.
Did that for many years.
Where did you work there?
Well, you know, I worked in a lot of different areas.
Some of it I can't talk about.
Some of it I can.
Was it like intelligence?
Were you doing Canadian top secret intelligence stuff?
Some of it was.
A lot of it was doing cybersecurity-related red teamwork.
So we were doing, you know, exploitation or attack
simulations. And so, you know, I've done that type of work for just about every major government
department in the federal government. Whoa, whoa, whoa, whoa, whoa. Let's slow down here.
Chris really didn't want to talk about his time working for Canada's intelligence agencies.
But you know what? This is common for everyone I've met who's worked there.
I can barely get anyone to even say what department they worked in.
And the same goes for the UK, too.
I've met people who are part of GCHQ, but won't peep a word of it with me.
But that won't stop me from looking into it more.
So what's Canada's version of the NSA?
It's called the Communication Security Establishment, or CSC.
And they're pretty secretive.
There's not a lot of information about what goes on in there.
But I found a recruitment video.
So let's listen to this.
You may be the smartest person on your block.
You may have the best marks in the history of your program.
You may have written some of the most robust code ever,
speak and write ten languages fluently,
or be scarily bright in math, physics, or engineering.
But we have just one question for you.
Can you keep a secret?
We are the Communications Security Establishment Canada.
We're serious, really serious about our mission.
We provide the government of Canada with foreign signals intelligence
and protect information of national interest through leading-edge technology.
We do all this while facing the increasingly complex threat of cyberterrorism.
But back to the keeping a secret part.
You see, that motherload of information we've talked about
has enormous strategic and economic value to Canada.
As you can imagine,
it is highly prized by those who would create chaos and threaten our safety and security.
How we protect it is top secret. I don't know if Chris worked at CSE or not, and I don't know if
he was a full-time employee or just a contractor. I guess he's good at keeping secrets though, huh?
But all I have to go by is the
statement that he just said a moment ago, that he was doing exploitation or attack simulations. And
so, you know, I've done that type of work for just about every major government department in the
federal government. Yeah, I guess the citizens of Canada just must really trust the government.
Like, yeah, we know we can't ask what you're doing and we know you can't tell us,
but we just assume you're on the good side. I guess there's like no,
there's no transparency at all.
You're right. There's much less transparency.
I think we're more laid back than our American friends.
I think there are people that certainly don't trust the government and,
you know, there are some,
there is sort of some freedom of information type acts
and whatever.
But I think that all in all, you're right.
We're just a little more laid back about that stuff.
No, but anything that you do for the security services
in Canada that are in the intelligence space
gets sealed for 101 years or something.
And so you can imagine what kind of exposure and skills he picked up doing this kind of work.
Now, somewhere in this time, he gets married and still has a burning desire to learn more
about computers, tech, hacking, whatever.
So when I'd get home from work, I'd be on the computer trying to learn more,
trying to see what the bad guys are up to.
And this guy, Curator, was bragging about all the different e-commerce sites he'd compromised
and was publishing people's personal credit card information online.
And he was just kind of just being a jackass.
A person named Curador had posted online that he broke into different e-commerce websites,
stole a bunch of credit cards, and then posted them to his own websites for anyone to use.
Curador was really bragging about what he did
and how bad the security was for the places he hacked into.
He actually called himself the saint of e-commerce,
and he would call up radio shows and boast about what he did.
Welcome to Internet News Radio.
Curator said he likes to compare himself to the main character in the movie The Saint.
Basically, it's my delusions of grandeur coming into full view.
You've got potentially several law enforcement agencies in several countries tracking you.
Yeah, it doesn't concern me at all.
They can hack the way out of a bad law enforcement.
I don't know.
It just sort of bothered me that he was being he was bragging so much and being so sort of full of himself.
And I noticed he hit a couple of Canadian companies, and for some reason that triggered me, I guess.
And so I started going after him.
Aha, interesting challenge, huh?
Can someone who develops exploits and carries out hacks for the Canadian government to track and find this arrogant criminal.
Chris was on the trail.
Step one is to look at the logs.
But news agencies and victims weren't publishing logs, so he had to go get them himself.
Phone people up and say, hey, you know, can I help you with a problem you have?
I'm not going to charge you anything.
I just want to try to catch this guy.
And more often than not, they'd be like, yeah, sure, I have access to the inside of my network.
I have access to my logs.
You know, I wrote a bunch of firewall rules for one of them,
helped a guy through some filtering on his router and, you know, whatever.
So, yeah, they just really hand me access to whatever I asked for.
He was able to get the network logs and web server logs of this criminal activity.
And this was a wake-up call for these e-commerce sites. They weren't familiar with all the things
that criminals could do and thought they had secured their sites very well. So they appreciated
the help from Chris, and he started discovering things from these logs. He would hide himself a little bit when he'd breach a site,
and then he'd come back later and not hide.
And it was, so when he'd come back later,
it did look like normal web traffic.
It didn't look like part of the breach.
But when you take three or four of them together and you go,
hmm, why, you know, within half an hour or an hour of the breach,
before it's published, before anybody knows about it, is there always the same IP address from Wales showing up to, you know, look around the site?
This is the power of looking at multiple victim's logs, trying to correlate them.
Using geolocation, Chris figured out that Curador was somewhere in the UK.
Next, Chris looked at what exploits he was using.
The exploits he was using were
vulnerabilities that were discovered by a friend of mine named Jeff Forrestal. So I knew exactly
how this kid was doing it. So I went to the RCMP in Ottawa and they didn't seem to want to do
anything with it. And then one of the victims that was in Pennsylvania, I guess, had called
their local field office of the FBI. And so I got a phone call at lunch one day from this FBI agent who said,
hey, I hear you're working on this.
Can you share what you got?
And I said, sure.
And I kind of became friends with the SA and shared everything.
And they took it from there and worked with the various police forces in the UK
and showed up at his door one early morning and made the arrest.
Then I got a phone call from him at like six in the morning that day. And he said, hey,
we made the arrest and thanks very much. And the FBI is doing a press release on this.
And I tried very hard to get your name in that release, but they don't want to
acknowledge that somebody else helped us. And he said, so I'm not saying this, but they don't want to acknowledge that somebody else helped us.
And he said, so I'm not saying this, but if you were to put out your own press release,
that might be a good idea. And I had a friend of mine that was a journalist for one of the major
papers in Canada. And I called him and I said, what should I do? And he's like, I'm writing your
press release for you right now. I'll send it out. And I said, okay. And then all these TV trucks and
stuff showed up at my house and sort of gave my career a bit of a boost there in the late 90s or right around 2000.
Now, almost immediately after the arrest, PBS Frontline decided to do an episode on this.
Due to the graphic.
Made possible by contributions to your PBS station from viewers like you.
And I found an old VHS recording of this episode. Now,
this happened back in the winter of 2000. And guess what? Chris is in the video. Chris Davis
tracked him following electronic footprints around the world without leaving his computer terminal.
And he caught him and notified the FBI. You know, the bragging got to me. I just wanted to say,
OK, look, you're really not this good. You're not as good as you think you are. I know I'm guessing I have a really good idea how you're doing this.
So the FBI and UK police figured out what ISP owned the IP that these attacks came from
and asked the ISP for information on what customer was using that IP at the time of the attacks.
From here, authorities found the home address of Curador, who was in a little town in Wales in the UK.
A little town called Clindarwen, just outside of Cardiff.
UK headquarters for the villain Curador turned out to be a bedroom in rural Wales,
littered with broken computers and new age books, pop cans and ashtrays and a TV set where twice a day a bored teenager indulges an addiction to reruns of the 60s spy series The Saint.
Curador is Raphael Gray, 18 years old.
They arrested him and took him to a nearby town to be processed.
Then they let him go to face a judge later on.
But then the producers of PBS Frontline had this idea.
They thought, what if Chris and Cure Door could meet up in person?
So they said, hey, can we fly you to Wales to go meet this guy that you helped the FBI arrest?
And I was like, okay, I guess so.
Is that normal?
Is that what we're supposed to do?
We're supposed to go hang out with the guy after we bust him?
OK.
So they, you know, they flew me to Wales, put me up in this fancy hotel.
So Chris and the team from Frontline went to Curador's home in Wales.
That's your room?
Yeah.
He's remarkably friendly, considering that just weeks earlier he'd opened his door to be swarmed by a squad of police officers and an FBI agent.
And all in all, there was like ten of us in this room, all crowded round,
but there was less floor space in here than there is now, a lot less.
So they're all crammed in here.
Four of them were playing close,
and there was one guy wearing a sort of grey trench coat,
looking very dishevelled and shaven
he seriously looked like he had some jet lag
I'm guessing that's FBI
that was confirmed later on
he wouldn't admit it to begin with
he claimed to be a Welsh police officer with a strong accent
Raphael sees himself as a fairly typical hacker
not so much a crook
as a nuisance
I think obviously I'm just a very nosy person.
I'm like your nosy neighbor on steroids, basically. There is a lot of adrenaline, if nothing else,
while you're trying to track it down. I sometimes spend two days solidly trying to do something
without sleep, without anything, just constantly trying to do it. And when you finally get through
the relief, it's not just from the fact you got in, but now you can sleep.
Your body is just literally crying out in relief from every possible avenue.
They are explorers, tirelessly traveling, fueled on caffeine, looking in cyber windows, trying cyber doorknobs, because they're bored or just because they can.
So what was it like meeting this guy?
It was weird, obviously.
He really seemed like a charming, goofy, nerdy kid.
He was 18.
He did not come from a rich family or probably have a lot of wonderful options
of fun things to do in the small town that he lived in.
And, you know, I think we do see a lot of cybercrime
kind of born out of a lack of career options
and socioeconomic issues in various places around the world.
So I think it was a little bit of that.
I kind of felt sorry for him a bit, I guess.
You know, he definitely could have made better choices.
But when you're 18, you do dumb things when you're 18.
It's just the reality.
So, yeah, I think I liked him.
And that was really all there was to it.
We kind of got along.
We didn't really stay in touch or anything.
I'd love to know what he's up to now.
Did you feel bad for getting this kid arrested?
I mean, it's obviously his actions, but do you deal with that mentally?
Yeah, I did a little bit, I guess.
I think that it was, you know,
he was doing something wrong. He needed to stop. And that was the way to make it stop. And so
I don't feel bad about that. I feel bad. I don't feel bad about what I did. I feel empathy for the
situation he was in, I think. And I also, you know, I made dumb choices when I was 18.
Not like that.
I didn't end up in jail or anything.
But, you know, you feel for the guy, right?
So that's the story of how Chris caught and met Curador.
But Chris has more stories to share with us.
Stay with us because after the break,
he's going to tell us about his adventures with the Mariposa botnet.
This episode is sponsored by Vanta. Trust
isn't just earned, it's demanded. Whether you're a startup founder navigating your first audit or
seasoned security professionals scaling your GRC program, proving your commitment to security has
never been more critical or more complex. And that's where Vanta comes in. Businesses use Vanta
to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001,
centralized security workflows, complete questionnaires up to five times faster, and proactively manage vendor risk.
Vanta helps you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back. Thank you. Get $1,000 off Vanta at vanta.com slash darknet. That's spelled V-A-N-T-A, vanta.com slash darknet for $1,000 off.
Chris was in Canada hunting cyber criminals and working for the Canadian government.
Anyway, I left that and went down to Austin, Texas in 2005 and joined Dell.
And I was the technical lead for their security team
for a few years.
You know, it was a very small team.
There was like five or six of us
for pretty much all of global security for Dell.
And so as you could imagine, that was pretty stressful.
It was 100,000 employees and, you know, 80,000 computers on the wire at any given second.
And I think Dell's budget at the time in the mid-2000s, they probably spent more on coffee than they did on cybersecurity.
So it was a bit of an uphill battle.
And then I had a friend of mine at Georgia Tech, a guy named David Dagan, who was starting an anti-botnet company called Damballa.
And so we chatted and he said, hey, you know, why don't you come out to Atlanta?
I can't pay you as much, but it'll be more fun.
And I said, absolutely, get me the hell out of here.
He took a pay cut and moved to Atlanta to help this startup.
But after doing that for a while, his wife convinced him to move back to Ottawa,
the capital of Canada.
And once there, he started a company called Defense Intelligence.
Which, you know, was focused a lot more on defense and blue team type work
than sort of the attack stuff.
Our focus was compromise detection and compromise mitigation.
Now, one of the things about being a network defender
is that you have to constantly keep an eye on what the bad guys are doing,
what tools are out there, their techniques,
and what services
criminals like using. And Chris likes to stay a step ahead of the bad guys by knowing all this.
One of the things that I've done over the last several years, last 15 years or whatever in my
life, has been building relationships with people that own infrastructure that bad guys love to use.
So it could be domain registrars, dynamic DNS providers, hosting providers.
And, you know, those relationships which start out with, you know,
me meeting them at a conference and buying a beer, you know,
I've sort of moved those into more formal arrangements where we've got contracts in place and I can, you know, get
access to data around what bad guys are up to, particularly in how they set up the infrastructure
used prior to an attack. And at that time, I was really good friends, still am really good friends
with a guy that owns a very large dynamic DNS provider, which I won't name just because I don't want to burn him.
And so one of the things that I would do is I would review the authoritative name server traffic flowing in and out of his environment to look for new spikes, new patterns, you know, which is often indicative of a new botnet growing.
So Chris took a look at some of the logs from this DNS provider
and found something interesting.
He was noticing that at a certain time of day,
there was a huge spike of traffic,
all going to a few domains.
So why would you see a spike in traffic?
Well, maybe it's a news site
that's covering breaking news
or a big sale at an online store
or some sports website
that's playing a live game.
But spikes like that are more like plateaus. They jump up at first, but then stay high for
an hour or so and then die down. What Chris saw was a spike where hundreds of thousands of
computers were all calling a certain website, but only for like one second and then stopping.
Huh. Why would they do that all in sync at the same exact moment then stop?
He looked at the domains that these computers were calling,
and they were weird.
One was butterfly.bigmoney.biz.
Another was quirtasdf.synip.es.
These were not news sites or even popular sites at all.
When Chris would go to them,
they displayed nothing on their website.
So why were hundreds of thousands of computers
going to these seemingly empty sites
at the same time?
Sort of, we're able to start to put together
a picture of, ooh, this is a really big botnet.
And, you know, it was that
it wasn't just one botnet,
it was actually multiple botnets sort of under one umbrella.
The reason why there were a bunch of computers all hitting these domains at the same time
was because these were infected computers looking for commands for what they should do next.
So those servers they were reaching out to are known as command and control servers.
And when you have a lot of infected machines that all get their commands from a central server,
this is a botnet. He was able to work with some friends and see what malware was used here. And systems were being infected with something called the Butterfly Bot. Now,
Butterfly Bot was somewhat already known, but it really wasn't doing much out there.
So it seemed like someone might have taken the butterfly bot malware toolkit
and was building a botnet with it. Chris looked at the command and control server logs a little
bit more and determined that whoever was running this botnet was probably somewhere in Spain.
So Chris combined the butterfly bot and the bot masters being in Spain and called this
the Mariposa botnet, which means butterfly in Spanish.
So we went ahead working with Panda.
Panda Security is an antivirus company in Spain.
And he figured they might be able to help since they battle stuff like this all the time in Spain.
We leaned on them to help with some language barrier stuff and to help us
analyze some binaries. And so they helped.
We kind of put together this working group called
the Mariposa Working Group, which was Panda, ourselves, Georgia Tech, and a few other folks.
Collectively, the group combined their powers to try to stop the Mariposa botnet,
which was growing in size. Over a million computers were now infected at this point,
and it was pretty dangerous. It was capable of doing a lot of different things.
You know, it was capable of distributed denial-of-service attacks,
keystroke logging, credential theft,
and the different botmasters were using it for different things. We did see a lot of DDoS attacks.
By default, the credential theft would occur
as soon as the thing was installed.
You know, I've never been one to really focus
on the features of the piece of malware.
To quote George Kurtz at CrowdStrike, he once said,
if someone's shooting at you, do you turn around and dig the bullet out of the wall
and try to figure out what caliber it is?
And so I've always kind of thought about that and thought,
no, you probably want to know who the guy is and why he's shooting at you.
And so that's the features of functionality.
Well, it gives a bad guy remote access to your computer to do whatever he wants.
That's bad.
Right.
This thing is ugly.
So the working group wanted to end it.
But how do you stop a botnet?
It has hundreds of thousands of computers, if not millions of computers connected to it.
What are you going to do?
Go through every one and disinfect it?
No, that's not going to work.
But remember, they all call back to that central command and control server for instructions.
So their theory was if they could take over or take down those command and control servers, that would render this botnet ineffective.
So the plan was that we were going to take all the command and control domains that we knew about,
which was, again, multiple botnets under one umbrella that we were calling Mariposa.
And we were going to take all of their command and control domains away at the same time, two days before Christmas, I think, if I remember right.
It was the 21st or the 22nd of December.
One of the things Chris is good at is connecting with other companies to work together.
So he reached out to the DNS providers that this botnet was using, Chris showed them that these domains were being abusive
and the DNS provider took those domains down,
which effectively neutralized this botnet.
Infected systems could no longer send their stolen data
back to the central server or get further instructions.
So those systems were still infected,
but at least they weren't leaking data
or doing anything more.
So we went ahead and did that.
We pointed it all to our sinkhole
and that's when we started to notice exactly how big the botnet was. So we went ahead and did that. We pointed it all to our sinkhole,
and that's when we started to notice exactly how big the botnet was.
It was huge.
Because when you take the command and control domains away and you point them to your sinkhole,
you get to see all the victims trying to communicate with command and control.
And I think in the first 24 hours,
we had 14 million unique IP addresses hit the sinkhole.
It was the biggest botnet I had ever seen in my life, and it still is.
Wow, that's a lot.
This was a win for the Mariposa Working Group.
Next, Chris was trying to investigate who was behind this botnet.
Were they state-sponsored?
Were they criminals?
What clues in the malware and command-and-control servers might lead them to figure this out?
And working with Panda and some other researchers, he was able to figure out who had been connected to the command
and control servers as admins. And from there, he was able to trace this back to some IPs that
belonged to an ISP. And again, it was somewhere in Spain. He somehow got the ISP to tell him
who that IP address was registered to, which gave him names, phone numbers, and email addresses
of the people suspected to be behind the Mariposa botnet.
So we've got to put this together into a nice report,
send it to Guardia Civil, which is, you know, the federal police force in Spain,
also, you know, in coordination with the FBI.
And they went and arrested these two guys.
These guys apparently had some nice things around their home, but without any proof that they had legally purchased these things.
So it seemed like these were the guys behind this, or at least some kind of criminals.
But now that the police had arrested them, Chris and everyone kind of wiped their hands with this
and went back to work. But then, a few days later, Chris's internet goes down.
You know, we noticed that the internet was down and our fiber provider started phoning us and said,
hey, we're getting, you know, a huge amount of traffic destined to your, I think we had a slash 24 of IP space or something.
And we were like, oh, and then he's like, oh, you know, shit, this is really bad.
This just dropped part of the university.
It just dropped a government office.
We're starting to lose connectivity all over the place.
They quickly start looking at the traffic and notice something.
The Mariposa botnet was back online and it was attacking them directly.
But how is this possible?
The guys behind the Mariposa botnet were arrested.
They went and made the arrest and they released them the same day.
So the Guardian Seville went and made the arrest and they released them the same day. So the Guardia Civil went and made the arrest
of these two fellows
and seized some equipment apparently.
At the time, I guess,
they weren't really familiar with cybercrime in Spain
and didn't have a lot of policies and procedures
and what to do.
So I think they held them for 24 hours, and then they released these two people.
Those two people managed to get one or two of the command and control domains back the next day.
I'm not sure how they got it back.
But if you could somehow send one more command to all the infected systems,
that there's a new command and control server,
then suddenly the bot master has control
of everything again. I guess they planned for something like this and conducted their contingency
plan. And then they leveraged it to create a massive DDoS attack against us in Ottawa,
which took out our fiber provider, part of a university, a couple of government offices,
a lot of different businesses suddenly had no internet for about an hour and a half, two hours.
See, both Chris and the team at Panda Security were proud of their takedown and arrest.
And so they published reports about this Mariposa botnet and how they were able to take it down.
Well, the guys that got arrested saw the report
and they knew exactly who to seek revenge on for getting them arrested.
And then after we managed to wrestle it back from them and stop the DDoS, I think it was like three days later, they showed up at Panda Labs headquarters looking for jobs.
What? What? Really? Yeah, I got a message from Pedro Bustamante, who ran the research lab at Panda Antivirus, and he goes, you're never going to effing believe this.
And I said, what? He's like, these guys showed up this morning looking for jobs, both of them.
Wow, that's audacious, huh?
To build a massive criminal botnet and then ask for a job at the security company who took you down, all while still waging a major attack on Chris's
company. Well, because they didn't stop their criminal behavior, the police arrested them again
and the botnet was sinkholed once again. And once they were arrested again, that was that. Chris was
done with this incident. Yeah, it sort of, you know, went out of my hands. I know the FBI and
Guardia Civil did a big press release. I think we got thanked in that, so that was nice.
And then, yeah, it was sort of out of my hands.
And, you know, I would get these inquiries from the FBI every now and again for, like, some updates and victim counts from the sinkhole.
Or can you send us over a dump of log data?
And that was about it. In the end, the Spanish police discovered that this botnet was
run by a cyber gang called DDT. A guy named Ruiz was the leader and Rivera and Rios were also part
of it. I believe they served some time in jail in Spain for their actions. And that was the last we
heard about the Mariposa botnet. Or was it? Fast forward a couple years later, and I get a phone call from the FBI saying,
hey, can you come to Slovenia to testify at this trial?
Come to Slovenia?
But these guys were all from Spain.
What's Slovenia have to do with this?
Well, as it turns out, the guys arrested in Spain didn't actually write the butterfly bot.
They bought it from a guy in Slovenlovenia a guy named eserdo
and eserdo was arrested for being the creator of this malware but yeah so here's the next big
question is like this guy created the malware itself but did not build this mariposa botnet
he just created the the malware um so there's I mean, how do you feel about this? Like you, just because the person creates, you know, Smith and Wesson can't be, you know, tried for all the murders that have happened with Smith and them make the same mistake over and over again, which is, I'm going to build this thing and I'm going to say, hey, you're only allowed to use this to test your own stuff, whatever.
But the intent of the code is to be stealthy, to hide, to do this, to do that.
You know, it's to commit cybercrime.
And it's pretty obvious that that was the intent of the butterfly kit.
Then on top of that, they got logs of him having conversations with people
about the cybercrime they're committing using his tool.
And then they've got people paying him for the tool saying,
I'm about to use this for cybercrime and him taking their money. So that, you know, it was
a lot of different sort of laws that were broken there. It wasn't just he built a kit and had
nothing to do with it. The FBI was assisting with this investigation because Slovenia was kind of
new to investigating cybercrime. And so the FBI was more of an observer and just helping out with the case.
So Chris went to Slovenia to testify about what he witnessed going on with the Mariposa botnet
and how the Butterfly bot worked.
And in the end, Slovenia courts found Acerdo guilty,
and he had to serve almost five years in prison.
When Acerdo got out of prison in 2017, Bitcoin was booming. It just crossed $10,000 per coin for the first time. And so he immediately jumped into Bitcoin.
He built a website called NiceHash, which was one of the more popular mining pools for Bitcoin
miners. Basically, when you're mining Bitcoin, doing anything on your own is quite hard. But if you pool together with a bunch of other people, then
you have a much higher chance of making money at it. So he created a mining pool that anyone can
join and contribute their computing power to it to make some Bitcoin. And this NiceHash mining pool
that Eserto made worked really well. In fact, in 2017, I was actually mining using NiceHash myself.
I didn't know it was ran or started by the guy who was a convicted criminal at the time, though.
And at the end of 2017, just as Bitcoin was hitting $13,000 per coin,
NiceHash announced they had 4,700 Bitcoin stolen from their wallet.
This was about $60 million that were owed to their
users. Aserto said
they were a victim to a phishing attack
and they tried to pay it back.
But it took them three years
to pay all those stolen Bitcoin back.
I didn't get hit by this
because when I was mining, I would just
immediately withdraw my Bitcoin as soon as
I earned it.
After Chris ran Defense Intelligence
for a while, he started a new company, which was acquired by Endgame. And then he started another
company, which was acquired by CrowdStrike. And about six years ago, he started a new company
called Hias. So Hias focuses on the infrastructure that bad guys like to use and the relationships that we have
with those infrastructure providers
to better identify really attacks before they happen.
So you can think about, you know,
any time that an adversary wants to set up a new botnet,
they have to, you know, get servers for command and control. They have to
generally buy domain names. You know, if you're creating a phishing attack, you have to set up a
website that looks like Bank of America. So what we've done is built relationships with the various
providers where we see high rates of recidivism, where we see the bad guys go back to often over
and over again. And we leverage those relationships to sort of tag and track those bad actors
and identify campaigns before they become campaigns.
He then gives his customers the ability to search through some of the logs
that he sort of has exclusive access to,
so that people can track and identify threat actors.
One day, Chris was looking at his own tool and noticed something unusual.
We originally noticed, again, much like Mariposa,
spikes in traffic at the authoritative level.
So this was a combination of registrar partners
and dynamic DNS partners where we saw traffic spikes
that were indicative of a botnet growing.
But what was most interesting is who the victims appeared to be in the early stages.
So where were we seeing the traffic originate from and the patterns of behavior?
You know, a normal person will sit at a keyboard and hit enter every two minutes and 32 seconds over and over again all day.
That's non-human behavior, right?
So when we see a domain lookup every one minute and 30 seconds,
you know, to the second when the cash, the TTO expires, when the cash expires,
we see that cash refresh occur over the course of, say, 20 hours.
We know that there's probably a computer inside that environment that's compromised with something,
particularly if the domain they're looking up happens to be a known command and control
for a piece of malware or various pieces of malware.
So we saw that type of traffic.
Okay, so there's a potential botnet on the rise again, or something.
They see a lot of computers on the internet are showing signs of infection
since they're all acting in synchronicity again.
So Chris wanted to know what computers are being infected by this.
And when he saw what computers were infected, it really surprised him.
It was France's power grid, like a bunch of their sort of nuclear power stations.
And then we noticed traffic as we sort of zeroed in on this group of command and control domains, we noticed that it was also France's rail system, hospitals, banks,
water treatment systems.
It was basically just like critical infrastructure.
It was really, really, there was very little that wasn't critical infrastructure
that was beaconing to these command and control systems.
Whoa.
A lot of critical infrastructure related to France
was infected by some kind of botnet?
That's not good.
He wondered if the bot master
had purposely infected French computers
or if the bot master even knew
he had infected these systems at all.
Sometimes bot masters don't know what they've infected.
They just launch a virus to the world
and whoever gets hit gets hit.
It's like spray and pray. So he dives into this investigation on his own, but started showing some
of the people he worked with what he found. And others were getting curious too and helped
investigate. Together they looked at the malware involved and they studied the command and control
infrastructure and tried to map out what this criminal has done and how sophisticated they were.
And from adding up all these bits, he felt confident that this hacker was sort of mid-level,
acting alone and probably not state-sponsored.
And once he had enough evidence of what was going on, he then reached out to the French authorities.
Reaching out to the French authorities was a very difficult process.
We didn't get a lot of response from anybody.
I went on some of my trust groups and mailing lists and reached out and didn't get a lot of
response from people. So we actually ended up going to the FBI, because we work with them so
much, and saying, can you help us with this? And so we sent them our report. They reviewed it to
make sure we weren't crazy, they weren't going to embarrass themselves.
They reviewed it, verified our findings, and then they reached out to the French government from their legal attaché at the U.S. Embassy in Paris and delivered our report to them.
And then we never heard anything from them since.
But just because he didn't hear from the French authorities doesn't mean he can't poke further. Chris contacted the dynamic DNS provider, which was controlling the command and
control server from his botnet and asked for more information on that user. The DNS provider gave
more information to Chris. He then had a user agent, an IP address, and an email address that
was used to connect to that user's account. Chris used geolocation to try
to figure out where the hacker was located, and it pointed to Morocco.
Google searching that email address, we found that he had an outdoor camping company outside
of Morocco that would take foreigners on these sort of desert tours. And yeah, so we were able to tie it back to that.
And then he ran that out of his house and had his home address listed.
And yeah, so we were able to really put it down to exactly where he lived.
Because the attacker was in Morocco, Chris called him the Casbah hacker and published a report on this.
Some researchers saw this report that Chris and Hayez put out and looked into it further. They saw the name of the hacker and started searching around the internet for him,
and they found that he was also taking credit for submitting different security bugs to Apple and
Dell and Microsoft. This gave an extra clue that the person was familiar with hacking, finding bugs,
and using them. They also found he used to run a computer repair business and then found his email address
was a registered user on some criminal hacking forum. This gave them a new username to scour
the internet for. And his LinkedIn profile showed that he's a penetration tester and programmer.
At this point, it's pretty clear. They found the person who completely hacked into France's power
grid, trains, and even nuclear facilities. He was happy to report this to the French authorities,
but it didn't look like they were doing much with this.
So at the point where you hand it over to law enforcement,
there's not a lot you can do past that.
And so you kind of have to hope that they're going to do their job
and stop the bad guy.
And, you know, it seemed like France really was overly interested
in doing anything about it.
You know, I went back and looked at some traffic earlier today for those same command and control domains.
There still is French infrastructure that is repeatedly looking up the command and control domain every three minutes, 24 hours a day.
So that tells me that system never got cleaned.
Right. That's exactly right.
Which also tells me, I mean, I don't know if you had that submitted in your report that got to the French authorities, but it seems to infer that the French authorities didn't action this.
That's exactly what I'm inferring, yes.
I'm trying to be nice about it, but that's exactly what I'm saying, is that the FBI walked over and handed this to the French authorities,
and they, I don't know, put it in a trash bin?
This isn't the case of one missed memo either.
This entire thing was written up by the journalist Brian Krebs,
who published a pretty detailed article on this.
Krebs has a huge reader base, which would absolutely have French people reading
it. So you would think this would get the attention of the French authorities, right?
But I don't know. Now, the French critical infrastructure wasn't the only thing hit.
One of the big banks in France was also infected too. Chris also listed this bank in the report
that he submitted to the French authorities, but decided to also reach out to the bank directly
and just tell them. I talked to one of the security guys at one of the big banks in France that was affected.
They cleaned things up very quickly. And then, you know, afterwards, I don't know,
maybe three weeks or so after the FBI had handed the report to the French authorities,
I reached back out to my contact at the French bank and said, oh, have you heard from the French
authorities about this? Because, you know, you're listed in the report. And and said, oh, have you heard from the French authorities about this?
Because, you know, you're listed in the report. And he said, no, no, we haven't heard anything.
But, you know, we cleaned it up. Thanks very much. Sure. No problem. Yeah. So, you know,
three weeks later, the authorities hadn't reached out to one of their largest banks that was,
you know, actively breached. I'm not sure what's going on here with the French authorities.
Like, is France just not able to respond to these kinds of attacks?
Or did they arrest the guy and therefore feel like this eradicated the threat?
It's a mystery that I never got an answer to.
But I sure hope they clean those systems
and patch whatever vulnerability was used to infect those systems.
Because hacking will continue until security improves.
A big thank you to Chris Davis for sharing the stories with us.
You can learn more about his company, Hias, by visiting hyas.com.
Are you the kind of person who turns this show on to listen to it just before bed,
but then end up getting so into it that you can't fall asleep for like a whole hour?
Well, if that's you, then I want you to consider donating to the show through Patreon.
This show obviously gives you some pretty good entertainment,
so why not directly support it to show your thanks?
Visit patreon.com slash darknetdiaries and consider
donating. Thanks. This show is made by me, the Digimon, Jack Recyder. Sound design was done by
the ear turner, Andrew Merriweather. Editing is done by the AI known as Damien. And our theme
music is done by the potato smasher, Breakmaster Cylinder. And even though when something calls
itself serverless, you and I both know there's really a server back there somewhere
doing all the work.
This is Darknet Diaries.