Last Friday, on August 4, a jury in the US found Fabio Gasperini, an Italian citizen, guilty of building a botnet that he used to hijack remote servers and surreptitiously click on ads for his personal profits.
Bleeping Computer reported on Gasperini's arrest and extradition to the US earlier this year, at the end of April. Today, we're circling back to provide an account of the events of how Gasperini built his botnet and how an investigation by Forkbombus Labs led to a criminal complaint filed with the FBI, the botnet's downfall and subsequent arrests.
This whole story starts in September 2014, after the public disclosure of Shellshock (CVE-2014-6271), a vulnerability in the Unix Bash shell that allowed remote attackers to take over Internet-connected devices running a Bash shell.
Gasperini is one of the many cyber-criminals who jumped on the Shellshock exploitation train after the bug's public disclosure. Unlike others, Gasperini focused his efforts on exploiting Shellshock for a single line of products, which were network attached storage (NAS) devices manufactured by QNAP Systems, Inc., a Taipei-based hardware manufacturer.
Gasperini used automated scans to discover QNAP NAS devices available online via port 80 and deployed the Shellshock vulnerability to run code on the vulnerable device.
An analysis of the malicious code by researchers at Forkbumbus Labs revealed the following capabilities:
A month after the disclosure of the Shellshock vulnerability, QNAP issued a security patch to protect customer devices against exploitation. Nonetheless, this didn't stop Gasperini's botnet from spreading.
According to a report provided to Bleeping Computer by Stu Gorton, co-founder and CTO of Forkbumbus Labs, Gasperini's botnet spread to over 2,500 QNAP NAS devices across 70 countries.
While building his botnet, Gasperini made several rookie mistakes that allowed the Forkbombus Labs team to track down his real-world identity.
For starters, some of the domains he used in the click-fraud scheme were registered to "firstname.lastname@example.org", his personal Gmail address. In addition, the malware dev also used his "Gaspolo" nickname in the botnet infrastructure.
Gasperini's real name was never revealed via the domain registration data, but when researchers attempted to reset the attacker's Gmail account password, Google revealed Gasperini's name.
From here, it didn't take long for Forkbumbus researchers to track down Gasperini's other online identities on sites such as Blogspot or Facebook. These profiles revealed a man with an interest for server administration and other advanced technical topics.
Forkbombus Labs gathered all the information it found on Gasperini and filed a criminal complaint with US authorities.
"Our researchers quickly identified long standing related activity and the motivation behind these attacks," Gorton said regarding Gasperini's guilty verdict. "This allowed our users to quickly identify the appropriate response for this activity and their needs. Through our combined efforts with the FBI, we were able to engage in root cause remediation of this activity, preventing millions of attacks from affecting our clients and the internet as a whole."
Following a joint investigation by the FBI, Dutch and Italian police, the Dutch arrested Gasperini in Amsterdam on June 18, 2016, where he moved from Rome, his hometown.
Following a raid, police said they found over €300,000 ($325,000) at his home. Other raids took place in Rome, Reggio Calabria, and Venice, where Gasperini's brother and four accomplices lived. The codename of this operation was HackinItaly.
Authorities also charged the other five with hacking and money laundering, but US officials requested only Gasperini's extradition, which was approved earlier this year in April. Gasperini was indicted and arraigned in a US court on April 21, and a jury trial followed.
Gasperini appears to have learned the technical skills to operate his botnet after he worked together with his brother as the technical staff of an online betting site.
Besides running the botnet to perform click-fraud, Gasperini later started renting traffic from the botnet to other sites. He invoiced these companies in his own name, but never more than €5,000 per invoice, the minimum value for which freelancers don't have to apply VAT (value added tax) in Italy.
Because occasional freelancers can't work for more than 30 days per calendar year, he used the personal tax codes of his brother and the other four accomplices to launder the money obtained from these contracts.
Authorities said they found over €300,000 ($350,000) at his home during the raid that led to his arrest, but they suspect Gasperini made much more than this.
After the guilty verdict from last week, yesterday, on August 9, a US judge sentenced Gasperini to one year in prison, a $100,000 fine, and one year of supervised release following incarceration.