Two Mexican botnets taken down

A week ago, Trend Micro was alerted to a phishing attack that was aimed at Spanish-speaking users and was discovered to be originating from a Mexican botnet.

The attack was using the news of a missing girl and her violent death to try to get the visitors to download a video. Of course, the video in question was no such thing, but a client program of a bot.

Searching deeper, Trend Micro researchers managed to access the botnet’s C&C center, and discover – and publish – details about its management functions and interface, and get a good look into what this botnet was able to do. They found out that it was also responsible for downloading malware (Zbot information stealers and fake AVs) on the target computers, and for targeting users with phishing attacks that impersonated PayPal’s site and that of the largest bank in Mexico. Finally, they named it Tequila botnet.

Since then, the Tequila botnet has been taken down – surprisingly enough, by its owners. The researchers speculate that the reason behind this decision was the fact that they have exposed the proxy servers and hosts.

The bot herders simply made the bots stop their phishing attacks, and as of Monday, its C&C server was taken offline – along with another one that presided over another botnet (dubbed Mariachi) run by the same people. This second one seems to have been taken offline by the hosting provider.

Three days later, the C&C servers are still down. Trend Micro will continue to monitor the bots for any sign of activity.