International authorities, with some help from Facebook, have arrested 10 people accused of operating a network of infected computers that stole personal information from millions of victims.
The Justice Department said Tuesday night that the F.B.I. and international agencies were helped in their investigations by Facebook, whose users were among those targeted by the malware, or malicious software, over the last several years.
The agencies arrested people from Bosnia and Herzegovina, Britain, Croatia, Macedonia, New Zealand, Peru and the United States, the F.B.I. said.
The suspects used a chain of infected computers to form what was known as the Butterfly botnet, which spread a piece of malicious software called Yahos, officials said. Versions of the software have long been trafficked among criminals who spread it over social networks and by other means, compromising the security of infected PCs and letting criminals steal personal data, including credit card numbers.
In a statement, the Justice Department said variants of this kind of software had infected about 11 million computers and caused more than $850 million in losses. A Justice Department official said those figures referred to the cumulative damage from the long-running problem, not a measure of the damage done by the people who were arrested.
Mark Hammell, Facebook’s Internet threat researcher, said the company had begun investigating suspicious behavior on its service two years ago. The malware had hijacked some users’ accounts and posted links on their friends’ Facebook pages. A person who clicked on those links could download the software and infect his computer.
Facebook’s researchers reverse-engineered the software to understand how it worked, and eventually traced some of its activities to computer servers controlled by the suspects. That helped Facebook determine the identities of some of the people involved in the crime ring, Mr. Hammell said.
“We realized we didn’t have the ability to stop it completely, and at that point, we decided the best response was to escalate this to law enforcement,” he said in an interview. Two of the people who were arrested were the original authors of the malware, he noted. Facebook said its users made up only a small percentage of those who were infected.
Security firms and social networks are generally on the lookout for this particular form of malware, and software to detect and eliminate it has been available for years. The Justice Department urged computer users to take common-sense measures, like antivirus scanning, to guard against the risk of infections, and said people who suspect they have been victimized should file a complaint with the F.B.I.’s Internet crime complaint center at ic3.gov.
Facebook said users who were concerned about being infected could check their computers at on.fb.me/infectedMSE. The malware does not infect Apple computers, Facebook said.
Manos Antonakakis, director of academic research at Damballa, a company that specializes in fighting botnets, said the size of the Butterfly botnet was significant. It was more than double the size of the last major botnet that authorities took down last November, one that used a piece of malware called DNSChanger that had infected an estimated four million computers.
“This is a major achievement for law enforcement,” he said, “and we look forward to many things like this, so we can effectively tackle emerging botnets out there.”
But Dr. Antonakakis said the estimate of 11 million infected machines was probably high, because a computer could be counted as a new device each time it connected to a different network, like the Wi-Fi at a Starbucks or a home router.
The $850 million figure may also be high given that credit card companies typically wipe out fraudulent charges.
Peter G. Neumann, principal scientist at SRI International, an engineering research laboratory, was less excited about the arrests. He said that defeating this particular botnet did not solve the fundamental problem of computer security being too weak. Anybody could easily take the same software and create the botnet again, he said.
“You’re solving a problem that wouldn’t exist if the systems were designed properly,” he said.