Spanish cops have arrested three people they suspect of building and running the “Mariposa” botnet, and it looks like they were tracked down through dynamic DNS services.
Mariposa spread into 190 countries and had 12.7 million infected PCs on it, according to this PDF report from Defence Intelligence. Over half of the Fortune 1000 were compromised.
According to the AP, “the suspects used Internet services that wound up cooperating with investigators”.
Critically, one suspect also made direct connections from his own computer to try and reclaim control of his botnet after authorities took it down around Christmas. Investigators were able to identify him based on that traffic. They were able to back up their claims with records from domains he registered where he would eventually host malicious content.
It’s safe to assume we’re not talking about a basic Whois lookup here. It seems much more likely that Mariposa’s use of command and control centres addressed using dynamic DNS services were the suspects’ undoing.
According to Defence Intelligence’s report, the C&C bots were addressed using subdomains on No-IP.com, SinIP.es, and GetMyIP.com, all dynamic DNS services offered respectively by Vitalwerks, cdmon.com and DynDNS.com. The Spanish service was most heavily favoured.
While dynamic DNS services have plenty of perfectly legitimate uses, they’ve been favoured by botnet controllers for years due to the ease of quickly changing IP addresses as botted machines are cleaned up.