Facebook has managed to take down a Greek botnet that used social media networks to spread malware, infecting 250,000 computers which were used to mine cryptocurrencies as well as stealing bitcoins, email passwords and banking details.
The Lecpetex botnet ran from December to last month, and at its peak, compromised almost 50,000 Facebook accounts, whereby users would receive a spam Facebook message that would say something like "lol" and include a zip archive attachment.
Users that opened the attachment would execute an embedded Java archive file that would download and install a program to mine Litecoins secretly on the computer, as well as stealing cookies from the user's browser in order to gain access to the user's Facebook friend list so as to send out more spam messages.
At the same time, other malware sent out from the botnet would steal bitcoins, internet banking details and email passwords.
Malware evaded anti-virus researchers
The family of different malware distributed included the DarkComet remote access Trojan, and significant effort was put in by the creators to evade both Facebook's attachment scanning software as well as anti-virus software.
Over 20 distinct spam campaigns were sent out, affecting users in Greece, Poland, Norway, India, Portugal, and the US, and the malware was not just limited to Facebook – it was also included in torrent files containing pirated content like movies, games and MP3s to trick unwitting downloaders.
"On April 30, 2014, we escalated the Lecpetex case to the Cybercrime Subdivision of the Greek Police, and the agency immediately showed strong interest in the case," Facebook's engineers wrote in a blog post.
Hackers left Facebook messages
Facebook also started to take down technical infrastructure such as testing, monetisation and distribution accounts in order to disrupt the botnet in April, and in May, the creators began leaving Facebook's engineers messages from their command and control servers saying things like:
"Hello people.. :) but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."
Facebook continued to hack away at the botnet with new countermeasures and automated tools to extract information from it, and finally the Greek Police arrested two hackers last week, a 31-year-old and a 27-year-old who were both informatics students.
"According to the Greek Police, the authors were in the process of establishing a Bitcoin 'mixing' service to help launder stolen Bitcoins at the time of their arrest," said Facebook.
Greek news site the Greek Reporter says that the Lecpetex operation is the biggest case ever handled by Greece's Cyber Crime Unit.