LulzSec Went After Qakbot, Mariposa Bots

Meanwhile, Anonymous offering bot-herding, other hacker training for its recruits via IRC, security expert says

Had the now-defunct LulzSec hacking group had its demands met earlier this month for getting botnet intelligence from startup Unveillance, it could have wrested control of a portion of the infamous Qakbots command-and-control infrastructure thats under the purview of the security firm.
The bots Unveillance had sinkholed are Qakbot-infected machines as well as some Mariposa-infected machines, which could have been a treasure trove of botnet firepower for the hacking group, security experts say. Qakbot is a Trojan that spreads like a worm, and its goal is to
steal financial accounts
and ultimately help siphon money. The botnet has been spotted on the rise,
most recently infecting 1,500 Massachusetts state PCs
and possibly exposing personal information of some 250,000 state residents.
Karim Hijazi, CEO and president at Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots, says his firm controls a large portion of the Qakbot botnets command-and-control infrastructure via its sinkhole servers. I believe [LulzSec] wanted it for use for a variety of reasons, Hijazi says. Fraud, information-stealing, reverse-proxy, [etc.].
In addition, Unveillance sinkholed some Mariposa bots, which LulzSec was also interested in obtaining. Although law enforcement controls the Mariposa command-and-control servers themselves, there are still plenty of machines worldwide infected with the bot malware. We still see over 4 million events/communications from infected machines part of Mariposa per hour and over 100,000 unique IP addresses an hour, Hijazi says.
LulzSec wanted Mariposa for DDoS purposes, says Pedro Bustamante, senior research adviser for Panda Security. It’s important to note that even if LulzSec [was able] to completely hack Unveillance and take over their systems, this will not have an impact on LulzSec getting access to the Mariposa botnet, Bustamante says. The reason is that the DNS records for the Mariposa command-and-control servers are under the control of law enforcement, and are only being redirected to Unveillance for sinkholing purposes ... we can change the DNS records for the main C&C domains and point them somewhere else as to minimize the impact of any theft of those existing Mariposa bots, he says.
Clues to LulzSecs botnet intentions began to surface last month, when Unveillance discovered some unusual traffic patterns around its network. On May 25, Hijazi noticed something funny was going on with his email account as well. An email I saw on my phone was showing as already-read on my computer, even though he had not opened the message yet, he recalls.
Minutes later, he witnessed an email in his inbox go from unread to read and then back to unread again. That was a really compelling event, he says. Between that and the unusual traffic trying to get past Unveillances firewalls, something was definitely going amiss: It was lockdown time, he says.
In the wee hours of the morning, Hijazi received an email with his Infragard password in the subject line, and a message asking if he wanted to talk, and signed Love, Friends. He gathered his team at 4:30 a.m., and they began brainstorming and shoring up security.
It wasnt until later in an online chat with the hackers that Hijazi learned what the attackers really wanted: They ... [were] saying, We want your botnet information or they would dox us, he says. Among their demands was Qakbot information and its sinkholes: They wanted [me] to convey ownership of the domain for DDoSing. They wanted command and control of those DDoS botnets, Hijazi says.
When Hijazi refused, they demanded money, but he replied that his firm was a start-up and didnt have any money. On Friday, they dumped my emails online, and InfraGard was taken down, he says.
While Anonymous -- from which LulzSec originally spun off -- has been best known for using crowdsource distributed denial-of-service (DDoS) attacks using the Low Orbit Ion Cannon (LOIC) tool, the group also has
relied on established botnets
to take down websites it targets.
Meanwhile, Hijazi says the AntiSec operation headed by Anonymous is hosting a new hacker training school via an IRC chat room for new recruits. New information about their new AntiSecPro hacker training school shows intent to use the ZeuS source code to train new recruits [bot-herders] how to compile and deploy a ZeuS botnet, Hijazi says.
Aside from the Zeus training and offering source code for Zeus 2.0.8.9, the #school4lulz training includes language injection via HTTP, IDS evasion, SQL injection techniques, botnet C&C protocol selection, takeover mitigation, social engineering skills, war-driving, and how to find an individuals personal information online, Unveillance says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
LulzSec Went After Qakbot, Mariposa Bots