Botnet Authors Arrested in Netherlands

I realize this is old news, but I didn't want to let the week slip by without chalking up another win for the good guys: The creators and users of a 100,000-strong army of zombie PCs, which had been used to commit a number of serious crimes, were arrested last week by Dutch police, then arraigned in the town of Breda, about 25 miles from Rotterdam.

Police, working with the Netherlands' computer emergency response team and Dutch ISP XS4All, tracked down three men who used the botnet to engage in password theft, phishing, and extortion of online business---apparently under the threat of a distributed denial-of-service (DDoS) attack.

The trio, aged 19, 22, and 27, not named, hail from small villages: Loon op Zand, Tilburg, and Rijswijk respectively. They created and distributed a Trojan called (depending on who you ask) Toxbot or Codbot. The Trojan infected machines, installed spyware and adware, and could perform other tasks--like overloading Web servers through DDoS attacks--at the group's whim. The botnet also helped the group phish for usernames and passwords to Paypal accounts, and then used the accounts to buy things.

Prosecutors allege that the group may have written viruses for others. Antivirus companies have been watching Toxbot evolve since it was first discovered in February; The Trojan's authors constantly created new versions to defeat antivirus tools' ability to remove the Trojan from PCs. Police also said they suspect the trio wrote custom versions of the Trojan for other people, who bought the Trojan in order to steal information like passwords.

Police who searched the alleged cybercrime gang members' homes found a cache of evidence pointing to the trio's involvement in the crime spree: computers, documents, refrences to a bank account, a sports car, and lots of cash.

The MO of these crooks closely matches those of other botnet operators, which we detailed in the Web of Crime series. The group was highly organized, and engaged in a wide range of crimes, all enabled by their network of Trojan-infected PCs. We're all better off now that these jerks are in the pokey.