A piece of malware from the M00p group showing their name embedded in the code. Courtesy of F-Secure
It’s rare that malware-writing crews get arrested for creating the tools that criminals use.
But a presentation at the Virus Bulletin conference in Spain this week described an extensive operation in which law enforcement agents worked successfully with the Finnish anti-virus firm F-Secure to catch two members of the M00p gang, makers of malware that allowed criminals to steal passwords and proprietary documents, remotely control web cams and commandeer computers for use as spambots.
Detective Constable Bob Burls of the Police Central e-Crime Unit in the United Kingdom described, along with F-Secure Chief Research Officer Mikko Hypponen, how “Operation Kennet” was ultimately able to identify two members of the M00p gang — Matthew Anderson and Artturi Alm — which operated from 2004 to 2006. The Finnish company F-Secure got involved in part because M00p crafted malware-infected e-mails that were designed to look like they came from F-Secure.
According to Sophos’ Graham Cluley, who attended the presentation, Burls came onto the case while investigating an intrusion at a hospital that was infected with a piece of M00p botnet malware. He discovered that the botnet communicated with a domain registered to one [email protected]. That address was soon linked to Anderson, a 33-year-old father of five from Scotland, and his company Opton-Security, which purported to be a computer security firm.
In a synchronized early-morning raid in 2006 by British and Finnish police, the two suspects were arrested. Anderson was caught logged in as administrator to the M00p IRC server when he was arrested, and Alm had an open IRC connection to M00p’s IRC channel.
Among the evidence police found on a computer seized from Anderson were incriminating chat logs and sinister images taken secretly of female victims whose webcams had been compromised. In one of the chat logs, the father of five was caught reportedly bragging to another hacker that he’d compromised a teenage girl’s PC and then snapped a picture of her with her webcam after she burst into tears upon discovering that her computer had been commandeered by him.
Alm turned out to be particularly daft at crime. He reportedly embedded his Social Security number in some of the malware the group distributed and also had an arm tattoo bearing the online nick he used to commit his crimes, “Okasvi.”
Despite evidence gathered from the computers and a confession, Alm was sentenced only to community service. Anderson got an 18-month jail sentence. Although the M00p operation was shut down, other members of the gang, reportedly from Canada, Finland, France, Italy, Kuwait, Scotland, and the U.S., remained at large.