The m00p malware investigation – was justice done?

The m00p malware investigation - was justice done?

Matthew Anderson of the m00p groupThe sheer number of malware attacks conducted on a daily basis, and the tricks that can be used to hide your tracks on the internet, may make it appear as though the authorities have little chance of bringing the perpetrators to justice.

The truth is, however, that although investigations can take many years and cross many countries, some cybercriminals are being brought to justice.

Today, Detective Constable Bob Burls of the UK’s Police Central e-Crime Unit (PCeU) and F-Secure’s Mikko Hyppönen took centre stage at the Virus Bulletin conference in Barcelona to describe how the computer-crime fighting authorities and anti-virus industry worked together on one such investigation.

“Operation Kennet” was the UK police’s codename for a probe into the m00p virus-writing group – a cybercrime gang that operated from 2004 until 2006, recruiting compromised computers into an IRC-controlled botnet.

The m00p gang’s malware really made the news headlines in 2006, when the Stinx Trojan horse (also known as Breplibot) was spread widely attached to emails with the subject line “Photo Approval Needed”.

Other attacks instigated by the gang included malicious emails pretending to come from anti-virus firm F-Secure, fake emails posing as be CCTV images of a campus rapist, claiming to be emails from customers having problems accessing a website, and allegations that George W Bush and Tony Blair were conspiring over oil prices.

Embedded deep inside some of the malware’s code was a reference to the m00p gang.

The Stinx Trojan horse contained a reference to the M00P gang inside its code

Some variants of the malware took advantage of the infamous Sony DRM rootkit (using it to cloak the malware’s infection on computers), and exploited a zero-day WMF exploit.

Once hit by malware written by the m00p gang, infected computers could be accessed by the hackers remotely – giving them access to personal data such as CVs, private photographs, medical information.

Not only was privacy violated – the hackers also made financial gain through their criminal attack, stealing password lists, opening backdoors to infected computer and – most significantly – earning commission from spam that they sent from compromised PCs.

It wasn’t just home users who were victims of the m00p group – a hospital and universities were also struck by the malware attacks.

The PCeU’s Bob Burls investigated the case of the malware-infected hospital, and discovered that the botnet was being controlled by a domain registered to the website address

Further enquiries discovered that the email address was linked to a man called Matthew Anderson, and his company Opton-Security.

Computers around the world, infected by the m00p malware, were contacting servers under the control of a so-called security firm called Opton Security.

Matthew Anderson ran the website, which offered software tools including spyware utilities that could log every keystroke made on a computer.

In the early hours of June 26, 2006, in a synchronised operation, British and Finnish police arrested two suspects, and seized computers and servers for digital forensic analysis.

Okasvi – Artturi Alm
23-year-old Artturi Alm was already well known to the police in Finland – albeit not in connection to computer crime. He had a record for stealing cars and drugs offences, and was actually on parole when he was arrested by Finnish police in Ulvila, close to the city of Pori.

His skills weren’t just in pinching motorcars, however. He was also very comfortable coding in C and assembler language.

Perhaps he wasn’t so smart, however, as he embedded his social security number inside some of his malware.


Initially Alm denied any link to the m00p group’s activity, and it was purely coincidence that he had an open IRC connection to m00p’s IRC channel when he was arrested. Later he changed his mind and admitted involvement.

Possibly the fact that his right arm carried a tattoo of his online nickname “Okasvi” made it hard to convincingly deny any assocation with m00p.

Of course, for a successful prosecution you have to prove that damage has been done. Four Finnish victims were found, all of them companies. After being contacted, all agreed to press charges which were used against Alm.

Although found guilty, and being on parole when he committed the crimes, Artturi Alm ended up with just a community service sentence.

You can probably understand why those interested in fighting computer crime would find such weak sentences very frustrating – although DC Burls was keen to point out that it was not appropriate for him to comment on sentencing.

Warpigs – Matthew Anderson
Although you may suspect that a hacker using handles such as “Warpigs” might be the archetypal teenage hacker, the truth was that Matthew Anderson was really a 33-year-old father of five from Drummuir in Scotland.

Anderson was actually logged in as the administrator of the m00p IRC server when arrested.

As well as stolen data and incriminating chat logs, sinister images, taken secretly of female victims via compromised webcams, were found on Anderson’s computer.

In an online chat with another hacker, Anderson/”Warpigs”, bragged of compromising a teenage girl’s PC and took a webcam video of his victim bursting into tears after his online taunts:

Warpigs chat log

In November 2010, Judge Geoffrey Rivlin QC at Southwark Crown Court showed little sympathy for Anderson’s actions:

"Your motivation throughout, apart from the relatively small sums of money that you obtained by way of payment from the business leads, was the pleasure and satisfaction that you derived from achieving such a massive invasion into the personal lives of so many others and also the sense of power that invasion gave you."

"Whilst you may not have been engaged in fraud, it is fair to say that in an age in which computers play such an important part in the lives of so many people and businesses, an offence of this nature inevitably raises great concern and consternation."

Anderson, the leader of the m00p group, was sentenced to 18 months in prison.

The third arrest
Alongside the police swoops on “Warpigs” and “Okasvi”, a third man was reportedly arrested.

The man, a 63-year-old from Suffolk, UK, was said to have not directly been a member of the m00p gang – but to have hired the compromised computers for the purposes of sending spam.

He was later released without charges being brought against him.

The rest of the m00p gang
And as for the rest of the m00p gang? They remain at large – hopefully no longer engaged in cybercrime, but certainly not paying the price for their crimes.

The computer crime authorities found evidence that 65 million email addresses had been targeted, that the gang made money by referring traffic to other websites, and that the m00p gang was truly international with members hailing from Canada, Scotland, Finland, USA, Kuwait, France, and Italy.

The good news is that the m00p operation was shut down, and two bad guys were caught. But there were at least 12 members of gang – some are known, but have not been brought to court and may never will.

The PCeU and the Finnish National Bureau of Investigation should be thanked for the years of effort they put into investigating this case. The presentation by Bob Burls and Mikko Hyppönen really brought home the huge amount of detailed work which has to be done to bring a cybercriminal to justice.

Let’s hope that there will be more international co-operation and more resources given to the computer crime fighting authorities to investigate these complicated cases in the future.