The m00p malware investigation - was justice done?

Filed Under: Botnet, Law & order, Malware, Spam

Matthew Anderson of the m00p groupThe sheer number of malware attacks conducted on a daily basis, and the tricks that can be used to hide your tracks on the internet, may make it appear as though the authorities have little chance of bringing the perpetrators to justice.

The truth is, however, that although investigations can take many years and cross many countries, some cybercriminals are being brought to justice.

Today, Detective Constable Bob Burls of the UK's Police Central e-Crime Unit (PCeU) and F-Secure's Mikko Hyppönen took centre stage at the Virus Bulletin conference in Barcelona to describe how the computer-crime fighting authorities and anti-virus industry worked together on one such investigation.

"Operation Kennet" was the UK police's codename for a probe into the m00p virus-writing group - a cybercrime gang that operated from 2004 until 2006, recruiting compromised computers into an IRC-controlled botnet.

The m00p gang's malware really made the news headlines in 2006, when the Stinx Trojan horse (also known as Breplibot) was spread widely attached to emails with the subject line "Photo Approval Needed".

Other attacks instigated by the gang included malicious emails pretending to come from anti-virus firm F-Secure, fake emails posing as be CCTV images of a campus rapist, claiming to be emails from customers having problems accessing a website, and allegations that George W Bush and Tony Blair were conspiring over oil prices.

Embedded deep inside some of the malware's code was a reference to the m00p gang.

The Stinx Trojan horse contained a reference to the M00P gang inside its code

Some variants of the malware took advantage of the infamous Sony DRM rootkit (using it to cloak the malware's infection on computers), and exploited a zero-day WMF exploit.

Once hit by malware written by the m00p gang, infected computers could be accessed by the hackers remotely - giving them access to personal data such as CVs, private photographs, medical information.

Not only was privacy violated - the hackers also made financial gain through their criminal attack, stealing password lists, opening backdoors to infected computer and - most significantly - earning commission from spam that they sent from compromised PCs.

It wasn't just home users who were victims of the m00p group - a hospital and universities were also struck by the malware attacks.

The PCeU's Bob Burls investigated the case of the malware-infected hospital, and discovered that the botnet was being controlled by a domain registered to the website address warpiglet@gmail.com

Further enquiries discovered that the email address was linked to a man called Matthew Anderson, and his company Opton-Security.

Computers around the world, infected by the m00p malware, were contacting servers under the control of a so-called security firm called Opton Security.

Matthew Anderson ran the opton-security.com website, which offered software tools including spyware utilities that could log every keystroke made on a computer.

In the early hours of June 26, 2006, in a synchronised operation, British and Finnish police arrested two suspects, and seized computers and servers for digital forensic analysis.

Okasvi - Artturi Alm
23-year-old Artturi Alm was already well known to the police in Finland - albeit not in connection to computer crime. He had a record for stealing cars and drugs offences, and was actually on parole when he was arrested by Finnish police in Ulvila, close to the city of Pori.

His skills weren't just in pinching motorcars, however. He was also very comfortable coding in C and assembler language.

Perhaps he wasn't so smart, however, as he embedded his social security number inside some of his malware.

Okasvi

Initially Alm denied any link to the m00p group's activity, and it was purely coincidence that he had an open IRC connection to m00p's IRC channel when he was arrested. Later he changed his mind and admitted involvement.

Possibly the fact that his right arm carried a tattoo of his online nickname "Okasvi" made it hard to convincingly deny any assocation with m00p.

Of course, for a successful prosecution you have to prove that damage has been done. Four Finnish victims were found, all of them companies. After being contacted, all agreed to press charges which were used against Alm.

Although found guilty, and being on parole when he committed the crimes, Artturi Alm ended up with just a community service sentence.

You can probably understand why those interested in fighting computer crime would find such weak sentences very frustrating - although DC Burls was keen to point out that it was not appropriate for him to comment on sentencing.

Warpigs - Matthew Anderson
Although you may suspect that a hacker using handles such as "Warpigs" might be the archetypal teenage hacker, the truth was that Matthew Anderson was really a 33-year-old father of five from Drummuir in Scotland.

Anderson was actually logged in as the administrator of the m00p IRC server when arrested.

As well as stolen data and incriminating chat logs, sinister images, taken secretly of female victims via compromised webcams, were found on Anderson's computer.

In an online chat with another hacker, Anderson/"Warpigs", bragged of compromising a teenage girl's PC and took a webcam video of his victim bursting into tears after his online taunts:

Warpigs chat log

In November 2010, Judge Geoffrey Rivlin QC at Southwark Crown Court showed little sympathy for Anderson's actions:

"Your motivation throughout, apart from the relatively small sums of money that you obtained by way of payment from the business leads, was the pleasure and satisfaction that you derived from achieving such a massive invasion into the personal lives of so many others and also the sense of power that invasion gave you."

"Whilst you may not have been engaged in fraud, it is fair to say that in an age in which computers play such an important part in the lives of so many people and businesses, an offence of this nature inevitably raises great concern and consternation."

Anderson, the leader of the m00p group, was sentenced to 18 months in prison.

The third arrest
Alongside the police swoops on "Warpigs" and "Okasvi", a third man was reportedly arrested.

The man, a 63-year-old from Suffolk, UK, was said to have not directly been a member of the m00p gang - but to have hired the compromised computers for the purposes of sending spam.

He was later released without charges being brought against him.

The rest of the m00p gang
And as for the rest of the m00p gang? They remain at large - hopefully no longer engaged in cybercrime, but certainly not paying the price for their crimes.

The computer crime authorities found evidence that 65 million email addresses had been targeted, that the gang made money by referring traffic to other websites, and that the m00p gang was truly international with members hailing from Canada, Scotland, Finland, USA, Kuwait, France, and Italy.

The good news is that the m00p operation was shut down, and two bad guys were caught. But there were at least 12 members of gang - some are known, but have not been brought to court and may never will.

The PCeU and the Finnish National Bureau of Investigation should be thanked for the years of effort they put into investigating this case. The presentation by Bob Burls and Mikko Hyppönen really brought home the huge amount of detailed work which has to be done to bring a cybercriminal to justice.

Let's hope that there will be more international co-operation and more resources given to the computer crime fighting authorities to investigate these complicated cases in the future.

, , , , , , , , , , ,

You might like

5 Responses to The m00p malware investigation - was justice done?

  1. elmo · 1092 days ago

    Matthew Anderson and others like him need some serious physical pain instead of community service and short sentences. The justice systems in so many countries are at times a bad joke. These jerks laugh at our courts. It's sad.

    • Blue collar vs. white collar punishments are ridiculous. Cyber criminals tend to not get caught so we should really up the ante but alas white collar punishments are much weaker than blue collar punishments. A white collar crime can do as much and more damage than a violent crime. Personal financial damages in the form of identity theft can kill a person with depression. A bullet in the head is kind in comparison. It is sad.

  2. John · 1091 days ago

    I agree, these guys have gotten too little for what they have done. the screen shot of his convo making the girl cry is pretty disturbing in my opinion. If i were to judge this case they would have gotten way more time haha. Its sad how some people like to do stuff like this. I also think the tattoo of his online name was a dumb idea.. its like duh dude. this whole article just baffles me, but it was a good read.

  3. Jerren · 764 days ago

    IMHO Justice was not served here, especially not for the young lady...

    Quite frankly there needs to be consistent international laws drafted and agreed upon by all countries to address the issues in this case as well as other malicious online activities and a internationally lead governing body to enforce them. Without some sort of international cooperation and consensus on these issues it's far too hard to prosecute internet crimes across borders. Sadly the Law lags way too far behind technology.

    One of the most frustrating things for me from an enterprise defense and forensics point of view is putting forth countless hours of time preserving and analyzing evidence only to find out the perpetrator is beyond your reach or to find out when you reach out to local authorities to find no crime was committed under the laws in their jurisdiction.

    While i don't have all the details of this particular case it's probably a safe assumption that is why only 2 out of 12 where actually convicted.

  4. Keith Roberts · 735 days ago

    I think that all internet users MAC addresses should be registered in a nation wide database, and it should be a criminal offence to spoof or change it.

    Like when a person buys a TV the TVL is notified, the same could apply to a MAC address?

    People are not allowed to drive motors without a valid vehicle registration plate. If somebody removed the number plates from their vehicle because they wanted privacy while driving their motor, they would soon be pulled over to the kerb.

    The same applies to using the information highway. By tracking a person's registered MAC address(es) (which could be passed to the server and logged like an IP address) the download can be traced right to the very machine that was used for that download.

    Even if the MAC address is not logged by the server, it can still be saved for evidence a particular machine has downloaded something dubious, by logging the download from the ISP connection, on a split tee connection such as a real hub.

    In the case of Ethernet adapters, these should have their MAC addresses registered as well.

    Just my 2 cents worth here.

    Kind Regards,

    Keith

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.