IE 11 is not supported. For an optimal experience visit our site on another browser.

New 'Butterfly' Botnet Could Be Biggest Ever ... Maybe

/ Source: SecurityNewsDaily

A small security firm claims to have found the biggest botnet ever, a vast network of compromised PCs stretching across 172 countries that's built to break into your online bank account.

But other major security firms have no information about it, and the FBI won't confirm its involvement in a raid said to have taken place a month ago, about which there have been no English-language news reports.

"It's completely new, and it's big, very, very big," security expert Karim Hijazi told SecurityNewsDaily.

Hijazi is CEO of Unveillance, the Wilmington, Del., company that claimed to have discovered this new botnet in a press release issued Tuesday.

Hijazi told SecurityNewsDaily the botnet is "very resilient," and said the number of host computers it has compromised is "easily over the 10 million mark."

In an interview with the Christian Science Monitor, he said the botnet was "likely to be the largest ever, based on how many countries with infected computers are connected to it and its rate of growth."

The invisible butterfly

Unveillance said the botnet is based on an updated version of the "Butterfly" malware kit, also known as "Palevo," "Pilleuz" or "Rimecud."

The Butterfly kit was used to develop the Mariposa (Spanish for "butterfly") botnet, which infected 8 million to 12 million PCs before it was taken down by authorities in December 2009.

Unveillance says the new botnet is based in Slovenia, and Hijazi gave it the name "Metulji," Slovenian for "butterfly," in an interview with Bloomberg News.

Another security expert, Chester Wisniewski of Sophos Labs, isn't so sure that this botnet is either new or especially large.

"While it [ the Palevo worm ] has been spreading more quickly in 2011, there is no reason to believe it is any larger or any more dangerous than many other malware families that are out there," Wisniewski told SecurityNewsDaily.

Hijazi argued that while Metulji is built on the same foundation that Mariposa used, it is its own dangerous entity.

"It's completely independent of Mariposa," Hijazi said. "It's completely new."

Unveillance has not yet revealed how many computers Metulji has infected, and major security firms, including Symantec, McAfee and Kaspersky, have not written about it.

Mikko Hypponen, chief security researcher with the Helsinki-based firm F-Secure, told SecurityNewsDaily that, given the evidence so far, he has "no reason to doubt" Hijazi's claims.

Claims and counterclaims

The botnet is "still growing, it's still weaponized," Hijazi said. "Information stealing is still going on with this botnet today."

As law enforcement and analysts such as Unveillance get closer to understanding and shutting Metulji down, Hijazi said it is possible the botnet could begin to morph into more dangerous forms.

"If these guys are aware that law enforcement is hot on their trail, there's a good chance they'll obfuscate some domain structures to keep [the botnet] going," Hijazi said. "I imagine we're going to see this thing get bigger before we're able to take it down."

Perhaps confusingly, Unveillance also claims that two men behind the new botnet were arrested in the Bosnian Serb Republic early last month in an international police action called "Operation Hive."

The FBI was said to have taken part, but an FBI spokesperson could not confirm the bureau's involvement to Bloomberg News.

A Google search reveals no English-language news articles about "Operation Hive." Hijazi provided a link to a Croatian website that ran a brief article on June 1st about two men arrested for Internet-related crimes.

Hijazi addressed this lack of media coverage in the Unveillance press release.

"In the wake of the recent LulzSec antics, it is surprising that this story has not yet attracted the attention of any English language newspapers," he said. "When justifying their actions, the members of LulzSec were quick to point out that there are many more criminals at work in the world, most of whom don't send out tweets every time they violate personal and corporate networks."

The LulzSec connection

Hijazi has his own history with Lulz Security, or LulzSec, who gleefully hacked into servers and entertained their Twitter followers for 50 days that ended last weekend.

At the height of the LulzSec hacking spree, Hijazi said LulzSec personally contacted him and demanded he reveal botnet intelligence data.

"Plain and simple, I refused to comply with their demands," Hijazi wrote in an official statement. "Because of this, they followed through in their threats — and attacked me, my business and my personal reputation."

"I do not regret refusing to cooperate with LulzSec," he added. "My data is of national security importance. I could not and cannot, in good conscience, agree to release my botnet intelligence to an organization of hackers."

LulzSec, however, had a different take. They claimed Hijazi wanted to hire them, and that they refused his offer.