How the FBI and Interpol trapped the world's biggest Butterfly botnet

The world's biggest criminal botnet, that has enslaved tens of millions of computers across 172 countries, now has a name: “Metulji," Slovenian for "butterfly." But even this monster butterfly could get netted.

Earlier this month, the FBI and Interpol conducted "Operation Hive," which resulted in the arrests of two Metulji operators in Bosnia and Slovenia.

But that may be just the beginning. Despite its mammoth size, the Metulji botnet has an Achilles heel that law enforcement and cyber security experts are exploiting: its criminal creator kept meticulous records of his customers.

RECOMMENDED: Epsilon security breach: 5 signs it's only the tip of the iceberg

Cheap to build, botnets are a stealthy, anonymous, nearly ideal criminal platform for Internet attacks against company websites. But they are even better at quietly stealing bank logons, passwords, credit card numbers, and social security numbers, says Karim Hijazi, CEO of Unveillance, the Wilmington, Del., botnet tracking company that discovered Metulji.

"We're already pretty sure this botnet has stolen credentials that resulted in thefts totaling in the millions of dollars," says Mr. Hijazi. "We still don't know how many computers are part of this botnet yet. But we expect to have a pretty good idea before long."

The creator of the sophisticated software kit – who made his money by selling it to those who wanted to build their own botnets – kept careful track of his customers’ criminal nicknames, Mr. Hijazi says. His “Butterfly Bot Kit” was also used to create the infamous Mariposa botnet, another gigantic botnet that at one point in 2009 had 12 million computers in 100 nations under its spell.

Just two years later, Mariposa has been neutralized by law enforcement – in large part by tracking down the purchasers of the software.

"The key here is that during the Mariposa case we discovered the licensing mechanism inside the Butterfly framework," says Luis Corrons, technical director of Panda Labs, whose company is assisting in the analysis of the new botnet. "These licenses are in the form of bot master nicknames, which are ... tied to the sales made to all bot masters who purchased a Butterfly botnet."

The Metulji botnet was created with a more advanced version of the Butterfly Bot Kit – but it, too, keeps purchase records. Since the Butterfly framework creator was arrested and his computers confiscated, it is "safe to assume" that law enforcement has "very good insight into who is running ANY Butterfly-based botnet out there," Mr. Corrons writes in an e-mail

Oddly, despite a number of Mariposa-linked arrests last year in Spain and Slovenia, bot masters are still depending on the Butterfly framework to run their Metulji botnets.

"Obviously, those bot masters are either not concerned about going to jail or just plain stupid," Corrons adds.

RECOMMENDED: Gmail breach: Eight tips to protect your e-mail account