Menu
Facebook kills Lecpetex botnet, which hit 250,000 computers

Facebook kills Lecpetex botnet, which hit 250,000 computers

Greek police made two arrests last week, Facebook said

Facebook said police in Greece made two arrests last week in connection with a little-known spamming botnet called Lecpetex, which used hacked computers to mine the Litecoin virtual currency.

As many as 50,000 Facebook accounts were affected, and as many as 250,000 computers worldwide, primarily in Greece, Poland, Norway, India, Portugal and the U.S., according to a blog post on Tuesday from Facebook's Threat Infrastructure team.

The social networking site described the difficulties in shutting down the botnet, whose creators taunted Facebook through messages left on servers that were part of its network.

Those behind Lecpetex launched at least 20 spam campaigns between December 2013 and last month, affecting Facebook and other online services. Some of the victims received private messages containing a ".zip" attachment containing a Java JAR file or Visual Basic script.

Those files, if executed, would then retrieve other malware modules stored on remote sites. The modules were either DarkComet, a widely used remote access tool that can harvest login credentials, or variants of software that mines the virtual currency Litecoin, the team wrote.

By frequently refreshing and changing the malicious attachments, Lecpetex defeated Facebook's filters designed to stop such malware from being distributed. The malware would also automatically update itself to evade antivirus products.

"The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail," the team wrote.

Facebook said it reached out to other infrastructure providers and law enforcement when it realized security software wasn't alone going to foil Lecpetex.

"Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures and law enforcement cooperation," it wrote.

The creators of Lecpetex eventually caught on to Facebook's efforts. In May, they started leaving notes on command-and-control servers they knew Facebook was investigating, playfully saying they weren't involved in fraud.

"These changes suggested to us that the authors were feeling the impact of our efforts," Facebook wrote.

Greece's Cybercrime Subdivision was notified on April 30. By July 3, Greece told Facebook two suspects were in custody, and that they had been creating a Bitcoin "mixing" service to help launder their proceeds. Mixing services aim to make Bitcoin transfers harder to follow.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityinternetmalwareFacebooksocial networkingInternet-based applications and services

Featured

Slideshows

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Kiwi channel debates GDPR as Reseller News Exchange hits Wellington

Kiwi channel debates GDPR as Reseller News Exchange hits Wellington

This exclusive Reseller News Exchange, in association with Arrow ECS ANZ, ForeScout and StorageCraft, went on the road to debate the early implications of GDPR in New Zealand, extracting opportunities while evaluating challenges for the channel in the year ahead.

Kiwi channel debates GDPR as Reseller News Exchange hits Wellington
Show Comments