Friday, August 22, 2008

Shadow Botnet case may yield spammer Leni Neto

The case of the "Shadow Botnet", which peaked with 150,000 machines will hopefully bring long-time phisher and pill-spammer Leni Neto to justice. On July 29th, the Dutch police arrested a 19-year-old Dutch man and his 16-year-old brother. We now know the elder brother is Nordin Nasiri, from Sneek, Netherlands. The Shadow botnet was spread through the Microsoft Windows Live Messenger instant messaging network. IM users would receive a text message from a friend, containing a link to download a file. If the file was downloaded, that machine would then send the same invitation to all of the people in its Microsoft Messenger address book. The Dutch also arrested a Brazilian visitor, Leni de Abreu Neto, 35, of Taubaté, Brasil, who was arranging to lease the Botnet from Nasiri for 25,000 Euros. Nasiri indicated that he believed Neto would be using the botnet to send spam.

That's a pretty good guess, as IP addresses and domains used in spam in the past have come up over and over as belonging to "Leni Neto" in Brazil.

Our colleague in anti-spam blogging, Spam Hound has such an example in his blog from June 2006!

Leni is a fairly technical person, if he's the same Brazilian Leni Neto found sharing his expertise on "mysql.com".

But mostly we know Leni is a spammer. One who, fortunately, in 2004 hadn't yet learned the importance of hiding his identity, as evidenced by the WHOIS information on this US Bank Phish from 2004 at "USBANK-SECURE.BIZ":


Domain Name: USBANK-SECURE.BIZ
Domain ID: D7530751-BIZ
Sponsoring Registrar: GO DADDY SOFTWARE, INC.
Domain Status: ok
Registrant ID: GODA-07675458
Registrant Name: Leni Neto
Registrant Organization: BR IT Consulting
Registrant Address1: Av Cons Nebias, 340 Cj 64
Registrant City: Santos
Registrant State/Province: Sao Paulo
Registrant Postal Code: 11015-002
Registrant Country: Brazil
Registrant Country Code: BR


Back then AbuseButler listed Leni Neto as the registrant of at least twelve spammed domains in September 2004. ScamFraudAlert has also listed some Leni Neto owned domains, such as "lilo-three.com", and Ackadia's Anti-Spam Pages mentions him as the owner of utoometoo.biz and wallacerights.com, registered to his email address of "lneto77@uol.com.br". Nigerianspam.com listed his in their second tier, "Lesser (bleep)-eating scumbags", crediting him with 345 419-scam emails. He was also listed as the owner of a company doing Digital Cable Filter scams, "roll-toit.biz". Toasted Spam documents his pill-spamming under the domain "moreofitnow.biz", also in February 2004.

With all of that information, let me be the first to say, Leni Neto, welcome to the United States of America!

Shutting Down the Botnet



The nice twist on this case is that after the Dutch High-Tech Crime Unit worked with Kaspersky Anti-Virus to create special instructions for the victims - using the criminals own Botnet to identify which people needed to be notified of how to remove the infection!

Once infected, bots would connect to an IRC channel, hosted at "elena.ccpower.ru" on port 3306, and join the chat rooms with names such as "#.nigger", or "#.xxcc2". In discussions of this particular botnet dating back as long ago as May 18th, that can be found on the Ryan1918.com forum, security afficionados such as a "superior member" there, named "SF", said that the botnet belonged to "whoopies" and that it contained 105,000 bots.

Kaspersky's instructions for removing the bot are given both in Dutch and English.

Unfortunately, law enforcement in general seems to have a very low interest in actually shutting down botnets, despite a few high profile cases, such as those in Operation Bot Roast II.

For instance, this botnet. The Command & Control, "elena.ccpower.ru", has been a well-documented botnet C&C site for years! Look for example at this McAfee AV Report from 2005, which lists both this site and this channel as being the way a particular piece of malware spreads.


Acting Assistant Attorney General Matthew Friedrich of the Criminal Division and Jim Letten, U.S. Attorney for the Eastern District of Louisiana, announced Thursday, August 21 that they had indicted Neto, and that extradition proceedings were underway to have Neto sent from the Netherlands to New Orleans for trial. The case is another example of international cooperation, with the Cyber Squad of the FBI's New Orleans field office, the Dutch Hi-Tech Crimes Unit and the Cyber Section of the Brazilian Federal Police all working together to bring about the arrest and indictments.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.