Facebook’s Threat Infrastructure team helped law enforcement take down a little-known botnet that may have infected as many as 250,000 computers.
Known as ‘Lecpetex’, the botnet was detected by Facebook last year. According to Facebook, the botnet was used to blast out spam that impacted close to 50,000 accounts at its peak.
“In addition, the Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection,” according to the Facebook blog. “In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.”
“Lecpetex worked almost exclusively by using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers,” the Facebook team continued.
Most of the victims of the operation were located in Greece, Poland, Norway, India, Portugal and the United States. On April 30, Facebook contacted the Cybercrime Subdivision of the Greek police about the case.
The efforts to disrupt the botnet did not go unnoticed by its operators. In May, Facebook noticed the command and control servers were leaving notes aimed at them, and the encryption keys being used in the malware contained apparent messages such as ‘IdontLikeLecpetexName.’
Between May and June, Facebook began adding backend measures to disrupt the botnet. On July 3, the Greek police had placed two suspects were in custody, and the malware’s authors were in the process of establishing a Bitcoin “mixing” service to help launder stolen Bitcoins when they are arrested.
“Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person’s online credentials and use that access to spread through private messages,” according to Facebook. “Along the way, it self-installs updates to try to evade anti-virus products and installs arbitrary executables. Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems. We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”
Some of the Lecpetex modules – such as the Litecoin mining and DarkComet RAT (remote access tool) used commodity software that can be downloaded from the Web, while others appear to have custom code written by the botnet’s operators.
“Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control,” Facebook explained. “One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.”
“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” Facebook added. “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”