Posted by Kevin on July 10, 2014.
A new whitepaper published yesterday by F-Secure Labs provides technical details on the malware known as Lecpetex. It follows Facebook’s publication yesterday of a report titled, Taking Down the Lecpetex Botnet.
Lecpetex is a botnet primarily designed to mine bitcoins and primarily spread via the Facebook social network through malicious attachments to messages sent out via the Facebook messenger service. It is thought to have infected some 250,000 computers. Both Facebook and F-Secure agree on this.
Facebook claims to have taken it down – but I never know what is meant by a botnet ‘takedown’, and always prefer the word ‘disruption’. Botnets have a tendency to return. For example, Facebook’s report provides a timeline of how ‘Facebook helps take down the botnet.’ Between April 10-17 2014 it notes, “Coordinated takedown of technical infrastructure including C2’s, distribution accounts, testing accounts, monetization accounts.” But then for May 2014 it adds, “Authors leave notes for us on command and control pages and in their malware; authors switch to disposable email sites and Pastebin for command and control.” The earlier takedown was clearly not very effective.
F-Secure’s report makes no mention of any ‘takedown’, or even ‘disruption’.
The one thing that could now suggest a genuine takedown is the arrest of two Greeks by the Greek police in connection with Lecpetex. But even then, it doesn’t mean that the botnet is dead and buried forever – and even here the reports are confused and confusing. Facebook says little more than “July 3, 2014 – Greek law enforcement arrests people alleged to be primary authors”.
A report in Greek Reporter on the same day (3 July) is even more confusing:
The perpetrators were spreading the malicious software using the program Peer 2 Peer, free cracked versions of popular games, songs and films, which they were sending to their victims. They were stealing bitcoins in order to turn them into euros using the digital currency exchangers available on the internet and to collect illegal profits.
At the same time, they were stealing passwords for e-mails and bank accounts (e-banking, PayPal etc.) which they entered into a database. They even stole the e-mail password of Greece’s Ministry of Mercantile Marine.
Greek Hackers Attacked 250,000 Computers Around the World
Similarly, a report in El Universal, Mexico states (claiming to be from the EFE news agency):
>The investigation revealed that the two people were Greek, acted alone and were the creators of this Trojan called “Lecpetex” which managed to steal hundreds of thousands of bank passwords and email and generate bitcoin virtual currency through teams others.
Hackers steal personal data worldwide
Quite frankly, this doesn’t sound like the same malware as that described by F-Secure. It sounds more like, say, ZeuS…
I checked with F-Secure malware analyst Mangesh Fasale: ‘Does Lecpetex do anything other than bitcoin mining?’
“Absolutely not at this moment,” he told me. “It’s purely written to mine the bitcoins.”
Clearly, somebody has got something very wrong – and my bet is that it isn’t F-Secure. But there is a possible clue to to the confusion. F-Secure states in its whitepaper,
Initially, we thought that Lecpetex was related to the “skynet bot” (more commonly known as Zeus).
Furthermore, both F-Secure and Facebook quote a message from the author/s embedded in the malware:
Designed by the Skynet Team –> but am not the fucking zeus bot/skynet bot or whatever piece of shit… no fraud here… only a bit of mining. Stop breaking my ballz…
The author says very clearly that this is not Zeus, but claims to be at least involved in the development of Zeus. It could be that some parts of the media have simply misinterpreted this statement. Or it could be that there is more to this story yet to come out. The newspapers quoted above did not get their information from either F-Secure or Facebook – they got it from the Greek police. When I asked F-Secure how Lecpetex was discovered, Mangesh Fasale told me:
As you know, F-secure is working with Facebook for antibot project. Facebook started targeting some malware families, so Facebook actually asked us to target ‘Lecpetex family’. According to Facebook, Microsoft started detecting this family first, based on statistics given by Greek police.
The sequence is not entirely clear; but it certainly seems as if the Greek police were involved very early even if they did not actually originate the operation. They may well have more information than either F-Secure or Facebook are giving out. It could be, then, that the arrest of the Lecpetex authors is actually bigger than just the arrest of the Lecpetex authors. Or not. Sean Sullivan, security researcher at F-Secure, commented,
Submitted in: News, News_malware |
It is still unclear whether the authors are part of “skynet team” or not and, during our analysis, we haven’t found any evidence of it. The reason why we were thinking that it’s a bot from skynet is because in initial variant of lecpetex we just found “’designed by the Skynet team” message and nothing about mining. In next variant we found the bitcoin mining module and the full message from author that we already mentioned in our threat report.
There is still no official statement from Greek police at this moment about whether those guys are part of skynet team or not.