Network News

X My Profile
View More Activity

The Scoop on the m00p Group

Various European media outlets are reporting that investigators abroad have arrested three men they sare are connected to a rather aggressive online criminal gang that goes by the name "m00p."

According to a story on the Times of London's Web site, the trio included a 63-year-old from England, a 28-year-old from Scotland and a 19-year-old from Finland." The piece notes that "all are accused of creating trojan viruses attached to spam e-mails with the intention of causing a 'massive infection.'"

I'm writing about this because I have crossed paths with m00p (referred to as "Moop" in the Times story) various times over the past couple of years in the process of reporting other stories, and I can attest to the group's malicious intent as well as the sheer size of its prodigious botnets.

These jokers are thought to be responsible for releasing the "Zotob.d worm" and for creating a Trojan horse named "Ryknos" by the anti-virus companies. Ryknos was among the first pieces of malware to hide on Windows PCs using the "rootkit" left behind by the deeply flawed anti-piracy software included on millions of Sony music CDs sold worldwide last year.

In January -- shortly after m00p released Ryknos -- a source of mine in the Internet security industry who was tracking the group followed a link I sent him to an online chat channel (mentioned in the following conversation as "playtimepiano") that m00p members were using to control more than 50,000 computers they had infected with the worm. A few minutes after joining the channel, my source was contacted by a member calling himself "Uluz" who was tending to his flock. In this conversation, "Security Guy" is my source:

Uluz: Usually you guys steer clear of close contact
Security Guy: well, i'm not really here to chat
Security Guy: just to check amount of bots if any
Uluz:: 50k hits
Uluz: so of course a few got exploited
Security Guy: so where are they?
Uluz: They are hidden from prying eyes
Security Guy: are you telling 50.000 people got the email and clicked the link
to go to playtimepiano?
Uluz: yes
Security Guy: so, how many msgs did you spam out then?
Security Guy: like, what's the percentage of clicks per spam?
Uluz: 5 million people got the email
Uluz: 50k followed it
Uluz: rather poor really
Uluz: but the exploit is not as good as made out to be
Uluz: rather poor infact
Uluz: 5 million emails, 50,000 hits
Uluz: bad %
Security Guy: well, that's what i wanted to find out
Security Guy: gotta go
IRC log ended Wed Jan 04 19:24

According to another source of mine close to the investigation reported in the Times, the 63-year-old English suspect is not himself part of m00p, but allegedly rented resources from the younger suspects -- both believed to be m00p members, the source said -- to conduct massive junk e-mail campaigns. The Englishman also is suspected of buying databases of people possibly interested in what he had for sale.

Hackers who control large botnets of infected PCs have a tremendous amount of valuable information at their disposal, should they care to mine it and exploit it. (A guy who I profiled in a cover story for the Post Magazine at one time controlled a botnet of 30,000 to 40,000 machines, but chose not to use that data).

Still, if you are looking for an easy way to infiltrate any medium- to large-sized company out there, one great way to do it is simply to approach some of these botmasters and ask them if one of their infected machines is already located within the target organization, said Mikko Hypponen, chief research officer for F-Secure Corp., a Finnish anti-virus company.

"If you control a botnet of several tens of thousands of computers, and someone wants to buy information from Company X, the likelihood that the botmaster already has a bot in Company X is quite high," Hypponen said.

By Brian Krebs  |  June 27, 2006; 1:04 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: 'Vishing': Dialing for Dollars
Next: Apple Updates Fix Five Flaws for Mac OS X


"If you control a botnet of several tens of thousands of computers, and someone wants to buy information from Company X, the likelihood that the botmaster already has a bot in Company X is quite high,"
If that doesn't send a chill down the back of company CEOs and management (who are notoriously tight fisted when it comes to IT security) they should probably start looking at their retirement options.
It's no longer a question of if, but when and how they will pay the price.

Posted by: R.Morris | June 29, 2006 12:09 AM | Report abuse

Hi to the security guy I met ;-)

Posted by: uluz | July 6, 2006 4:13 AM | Report abuse

Make freebsd jails in the company network and stay to see the work running :)

Posted by: m00per | July 27, 2006 2:22 PM | Report abuse

MooP > m00p

Posted by: nofx | September 10, 2006 5:33 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company