Luis Corrons spent much of the last year helping Spanish police with an investigation that led to the arrest of three local men suspected of operating and renting access to a massive and global network of hacked computers. Then, roughly 60 days after their arrest, something strange happened: Two of them unexpectedly turned up at Corrons’ office and asked to be hired as security researchers.

Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames “Netkairo” and “Ostiator,” were arrested in February by Spanish police for their alleged role in running the “Mariposa” botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for “butterfly”).

Now, here the two Mariposa curators were at Panda’s headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.

“At first, I couldn’t believe it, and I thought someone in the office was playing a practical joke on me,” Corrons said. “But these guys were the real guys, and they were serious.

“Ostiator told me, ‘The thing is, with everything that’s been happening, we’re not earning any money at the moment,” Corrons recalled. “He said, ‘We thought we could look for some kind of agreement in which both sides would benefit. We think we have knowledge [that] could be useful to Panda and thought we could have some kind of agreement with Panda.'”

Spanish police do not typically release the names of individuals who have been arrested, and Netkairo and Ostiator haven’t yet been charged with any crime. But Corrons recognized that the names and addresses on the resumes matched those that police had identified as residences belonging to Netkairo and Ostiator.

Corrons said Panda’s lawyers were unwilling to release the full names of the two men that visited Panda Labs, but said Ostiator’s first name is Juan Jose, and that he is a 25-year-old male from Santiago de Compostela. Corrons said Netkairo is a 31-year-old from Balmaseda named Florencio.

Shortly after the arrests were announced, local Spanish media said the third individual arrested by Spanish authorities in connection with Mariposa — a 30-year-old identified by his initials “JPR” — used the hacker nickname “Johny Loleante” and lived in Molina de Segura, Murcia.

On Mar. 3, I had the opportunity to interview Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. Lorenzana told Krebsonsecurity.com that Netkairo and his associate were earning about 3,000 Euros each month renting out the Mariposa botnet to other hackers.

Interviewing the same hackers less than three weeks later, Corrons asked them how they got started creating Mariposa.

“Basically, they said they started it as kind of a hobby, and that they weren’t working at the time,” Corrons said. “Suddenly, they started to earn money, a few hundred Euros a week to start, and then discovered they couldn’t stop. And the whole time, their network kept growing.”

Corrons said he told the pair there was really no way his company could hire them, but that he’d ask his boss all the same.

“I told them, ‘I’m not sure what you were thinking, but using Mariposa as your business card is not really a great help, quite the opposite in fact,'” Corrons said. “I said, ‘Well, I can’t promise anything [and] the fact you were behind Mariposa won’t work in your favor, although in any event, I don’t have the last word. I’ll speak about this with the management at Panda.’”

Corrons said the meeting ended shortly after that, and later that evening he noticed he had two new followers on Twitter. One of the new followers, a user named “FLOXTER_SEC,” a few days later sent him a message saying “please dont [sic] forget us, everyone deserves a second chance.” The name attached to that Twitter profile is one “Florencio Carro” (Spanish authorities said Netkairo’s real initials were FCR).

THE SECOND MEETING

Corrons said he had no direct contact with the two hackers again until Apr. 12, when someone calling himself Netkairo called him at work.

“He told me, ‘Listen, I’m calling because Juanjo [Ostiator] is insisting that I come and see you,” Corrons said. “He was asking about working for us again, and said, ‘We just want to know — as you haven’t answered — whether you’re thinking of hiring us or not?'”

Corrons said he met with with Netkairo again at Panda’s offices, but said he repeated his previous statement that the company could not hire someone who had been accused of running a botnet.

“So he says to me, ‘But we still haven’t been charged,’ Corrons recalled. “I told him, ‘It doesn’t matter…just the fact that you are involved is a problem when it comes to working for any serious security company.’ And what he then came out with says a lot about him. He said, “Yeah, but nobody else knows that.”

When it became clear that Panda wasn’t interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company’s cloud anti-virus software and hinting that he planned to publish the information. Later that week, someone opened a blog at Google Blogspot using the account name “NeTK,” and posted a video labeled Panda Cloud Antivirus Detection Bypass POC.

For his part, Corrons dismisses the video, saying it merely shows the obvious result of disconnecting an anti-virus solution from the Internet.

NETKAIRO RESPONDS

Reached via e-mail and instant message, Netkairo said he was limited in what he could discuss about his case at the moment. He acknowledged visiting Panda and asking for a job there, saying he was flat broke now that their Mariposa money-making machine was gone.

But he said Panda’s estimate of 12 million PCs infected by the Mariposa botnet was hugely inflated.

“I can say that they [have] 100x the real numbers just to do nice marketing,” Netkairo wrote in an e-mail. “The real size of mariposa was like 100,000, [and] peak about 500,000 to 900,000 total machines.”

Netkairo said Panda failed to take into account the prevalence of so-called “dynamic” Internet addresses, where the same computer is assigned multiple Internet addresses over a period of time.

Corrons said the 12 million estimate was never meant to mean distinct, individual PCs, and that the company was careful to note that it was only talking about the number of unique Internet addresses that it saw associated with Mariposa.

A LITTLE KNOWLEDGE IS A DANGEROUS THING

Whether the true number of PCs infected by Mariposa was one million or 12 million, the botnet culled massive amounts of personal data from infected systems. Spanish police said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries.

The botnet was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites.

Mariposa illustrates just how much damage malicious hackers can wreak these days with just a modicum of know-how. Corrons said both Netkairo and Ostiator told him that while they did indeed maintain the Mariposa botnet, they did not develop the botnet code and had relatively few technical skills. One hacker in the criminal underground who is familiar with Netkairo’s activities said the botnet owners generated many of the installations for their bot by seeding poisoned copies of pirated software on peer-to-peer file-sharing networks.

Spanish police say the break in the case came when one of the members of the Mariposa gang made an amateur mistake: Accessing the botnet’s control networks directly from his home Internet address instead of anonymizing his connection by relaying it through a mesh of third-party systems.

Perhaps Netkairo is being so bold because he doesn’t believe he will see the inside of a prison cell for his crimes. Indeed, Spanish authorities concede it may be extremely challenging to put the men in jail, even if they are convicted at trial.

“In Spain, it is not a crime to own and operate a botnet or distribute malware,” Capt. Lorenzana told Krebsonsecurity in March. “So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Tags: Luis Corrons, mariposa botnet, netkairo, ostiator, panda security