Botnet virtual currency hackers caught by Greek police

Greek police have arrested two people in connection with a botnet that hacked computers to mine a virtual currency similar to Bitcoin and affected over 250,000 machines worldwide.

Facebook’s Threat Infrastructure team published a blog post that explained as many as 50,000 Facebook accounts have been affected by the botnet as well as 250,000 machines with most of them in Greece, Poland, Norway, India, Portugal and the US, according to PC World.

20 spam campaigns were launched in total between December 2013 and June this year with victims receiving private messages containing .zip attachments that included a Java JAR file or Visual Basic script.

If the files were executed then they retrieved other malware modules on remote sites that were either DarkComet or variants of software that are capable of mining the virtual currency Litecoin.

Facebook found it hard to shut down the botnet and the creators even taunted the company by leaving messages on servers that are part of the social networking site’s network.

“The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail,” Facebook’s team wrote.

When Facebook realised that it wasn’t able to counter the threat with just security software it reached out to other infrastructure providers and law enforcement authorities. The creators caught onto this and left notes on command-and-control servers acknowledging Facebook’s investigation, adding that they weren’t involved in fraud.

Greece’s Cybercrime Subdivision was one of those notified by Facebook on 30 April and it took until 3 July for it to have taken suspects into custody. The cops told Facebook that the two had created a Bitcoin “mixing” service to launder the currency, which makes it harder for Bitcoins to be tracked.