Wednesday, November 24, 2010

Another M00P Group Member arrested



Pardon me while I have a Matrix-moment imagining this conversation. Matthew Anderson is sitting in a small room, and Detective Constable Bob Burls is flipping through the charges against him. "Mister Anderson ... it seems you've been living TWO lives. In one life, you're Matthew Anderson, program writer for a respectable software company. You have a social security number, you pay your taxes, and you help your landlady carry out her garbage. The other life is lived in computers, where you go by the hacker alias "Warpiglet" and are guilty of virtually every computer crime we have a law for. One of these lives has a future, and one of them does not."

OK, back to reality . . . who is Mister Anderson? Let's back up a bit.

In 2006, Brian Krebs, then of the Washington Post, ran a story in his Security Fix column called The Scoop on the m00p Group. The story started as an analysis of a June 27, 2006 Times of London story, Virus hackers held in UK and Finland. The Times told us that the suspects were a 63-year-old from England, a 28-year-old from Scotland, and a 19-year-old from Finland, who had released malware known variously as Ryknos, Breplibot, or Stinkx. Thousands of machines were hijacked, mostly in the UK, in violation of the 1992 Computer Security Act charge of "conspiracy to commit unauthorised modification of computer material" which at the time carried a maximum penalty of six months in prison and a £5,000 fine. Krebs went on to claim that "these jokers are thought to be responsible for releasing the Zotob.d worm." The Ryknos bot was an old-school IRC-controlled botnet. All of the bots were directed to join an Internet Relay Chat (IRC) channel where they would receive further commands from the bad guys, known as "botherders" in the community. One of Krebs' sources determined the method by which the bots joined the chat room and did so himself, sharing an interesting Chat Log back with Brian, where a botherder callin himself Uluz claimed he had sent out 5 million spam messages and 50,000 people had become infected and joined the chat room. Krebs believed the 63-year-old Brit was not a malware person himself, but was paying the botherders to deliver spam email messages using their bot-controlled computers.

We now know that Uluz, aka Warpigs, aka Warpiglet, aka Aobuluz, was actually Mr. Anderson.

What happened to the criminals? First, it is unlikely that m00p were the authors of Zotob, although they may have been using a Zotob variant. The author of Zotob was Farid Essebar, a 19-year-old Moroccan, who was sentenced to a two-year prison term in September of 2006. (See Symantec report Zotob author sentenced to 2 years in prison. Diabl0, as Essebar was known, created as many as 20 variants of his bot, and its possible that m00p was a customer of that process.)

In a Swedish language story published September 17, 2007, the headline read "Finnish man suspected of computer crimes" and gave more details (source: Finsk man misstänks för databrott with some help from Google Translate.)

A young man from Poris suspected of having participated in a computer hijacking offensive against millions of computers.

According to the police in Pori, the man made malware that uses e-mail distributed to tens of millions of computers around the world. The man admits that he made 30-40 different malware programs. The malware was so-called trojan horse programs, which means that the people managing the malware had access to the compromised computer and its contents. The hijacked computers formed botnets that can be used, for example, to spread malware.

The man is suspected to have belonged to an international group of computer criminals, led by a British man. The police found that group m00p had 64 million email addresses for spreading the malware.

The preliminary investigation on the most comprehensive data breach in Finland will be ready in September and then go for an objective consideration of the charges in the prosecutor's office in Stakunta.


Three days later, Finnish technology magazine DigiToday ran a story about the arrest of a member of the M00P Group that no one in English-speaking countries paid much attention to, perhaps with the exception of Detective Constable Bob Burls of the Metropolitan Police of London's -- M00p-ryhmä toimi tietoturvayhtiön suojissa, "Security Company working under the auspices of M00P-group." The story claims that while a company sold security software as a cover, secretly the group was distributing malware and botnets. The 63-year-old Englishman is said in this article to have hired the m00p group to infect members of a rival company and to gather information about that company from the data their trojans could harvest from the rival's computers.

DC Bob Burls, from the Police Central e-Crime Unit (PCeU), was still on the case all this time. Last month, Matthew Anderson, now 33 years old, plead guilty to his role in the group, as reported by the UK's IT Pro in their story of October 25, 2010, Virus spreading snooper pleads guilty. That story continued "A 33-year-old Scottish franchise manager helped spread viruses and spied on people via webcams". Burls is quoted as saying:

This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals. Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy.
- DC Bob Burls

We now know some more about the Finland-based hacker and his sentence. He did plead guilty to the charges mentioned above, and was sentenced to the harsh term of EIGHTEEN DAYS, yes, 18 DAYS, not months, and was forced to serve community service.

Fortunately, the Brits are a bit more reasonable in their sentencing. Anderson was sentenced on November 23 to serve 18 months in prison. The penalties were stiffened in 2008 under the law with which he was charged. If his crimes had occurred after October 2008 the maximum penalty could have been 10 years, and the judge mentions, according to this article in The Register he would have received at least 36 months instead.

The Daily Mail describes Anderson as a father of five, who did most of his hacking from his mother's front room in the Scottish Highlands town of Banffshire, Scotland. They claim he sent out 50 million spam emails with a malicious attachment, and at least 200,000 people clicked on the attention "enslaving" their computers to Anderson. Anderson was then able to gather files and photographs from their computers and to turn on their web cameras and record video. According to the Daily Mail "At his leisure he then sat spying into the living rooms or bedrooms of strangers."

In captured text from his computer, Anderson, using the name "Warpigs" boasts to another hacker, "CraDle", of one 16-year-old girl he had been "tormenting for hours" and saved a video of her bursting into tears as he made his presence known by changing her screen. According to DC Burls, the images and videos kept as trophies were carefully catalogued: passwords, CVs, medical records, intimate photos, etc.

Similar to yesterday's blog post, he claims that personal tragedy lead to his career choice. He became house-bound in his early 20s, experiencing panic attacks when he went out in public. This lead to his fascination with online chat. His company is a computer security firm, ironically protecting its customers, supposedly, from people just like him.

The only financial gain for Anderson seems to be his selling of email addresses that he had harvested from his bot computers. Only £12,000 in profit can be proven. In addition to private computers, Anderson controlled systems at John Radcliffe Hospital, Oxford University, and several non-military government computers in the UK.

According to the story Scottish botnet master jailed for 18 months by Chris Williams at TheReg, it was the hospital computer case that lead the PCeU to get involved. Burls was called to the hospital when the malware was discovered, and tracked the command and control of the botnet to a domain registered to the email address "warpiglet@gmail.com". Inquiries to Paypal and eBay helped link that email address to Matthew Anderson and his company, Opton-Security.

Having his email address makes it possible to find quite a few interesting emails from Mr. Anderson.

Here's one forum post to the Toyota USENET Discussion Group "alt.autos.lexus" found on Toyota Nation:

admin@opton-security.com
02-21-2006, 11:01 AM Subject: How to keep your private files private

Hello,

I would like to offer you the chance of owning a very powerful product of ours. Opton FileCrypt is designed to keep your private files private. These can be personal files where you store your important passwords, credit card or banking details. It can also be used to protect legal documents, private databases, images and music files. In fact, it will lock and protect any filetype available on a PC

If you have anything at all you would like to keep away from prying eyes then this tool will lock & encrypt the files at a click of a button using MD5 encryption technology.

If you are at all worried about your personal information getting into the wrong hands, having your private images and files being looked at by your children or by anyone with out authorised access or being the victim of Identity Theft then I recommend this application highly. Its simplicity of use makes it reachable to all PC owners as no advanced skill are needed to operate the software.

To read more and possibly make a purchase please visit us at www.opton-security.com

Kind regards

John Anderson


The ironic reply to this thread, from Travis Jordan, was:

Now why would Mr. Anderson's UK-based company whose email address is
known variously as

sales@opton-security.com
admin@opton-security.com
code@opton-security.com
and their domain contact
warpiglet@gmail.com

post this commercial material to a Lexus newsgroup?

I suppose it might be because

sales@opton-security.com
admin@opton-security.com
code@opton-security.com
and
warpiglet@gmail.com

aren't geting enough spam.


Most Opton Security products, such as Opton FileCrypt Pro, were distributed as try-before-you-buy trial software. Some are creepy when you consider the charges above. Consider, for example, the description of the product "Opton Monitor Pro 1.0":

"Designed to record everything that is done on your business or home PC."

I'm guessing the license didn't reveal that the author's hobby was the same thing.

Investigators speculate that the m00p gang's success rate was approximately 1 computer take over for every 250 spam emails sent. The original spam campaign claimed that the recipient's computer was infected and that the attached program was being provided to fix it. At one point during police monitoring, police observed 1,743 new computers being added to the botnet in one 90 minute period.

Other members of the m00p gang hacked under the aliases Kdoe, CraDle and Okasvi, with the last being the alias of Artturi Alm, the Finland-based hacker who received the 18 day sentence, which the British press are being described as "brought to justice" of which I am not quite so convinced.

Anderson, photo from Metro.co.uk

1 comment:

  1. Other members of the m00p gang hacked under the aliases Kdoe, CraDle and Okasvi, with the last being the alias of Artturi Alm, the Finland-based hacker who received the 18 day sentence, which the British press are being described as "brought to justice" of which I am not quite so convinced.

    A fair few of your facts wrong, but I still like the article.

    I'm at matthew@the-franchise-shop.com if you ever want to update this factually? (Warpigs, not Warpiglet, Warpiglet was just an alias for the bots to recognise)

    Cheers

    Matt

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.