PandaLabs Blog everything you need to know about Internet threats

espanol

Mariposa Stats

One of the most interesting things in order to know how the bot behind Mariposa has been spreading is to study the geographical distribution of the infections. Unlike other cases, the Mariposa Working Group stats don’t come from scanning PCs. In order to avoid the DDP Team from controlling Mariposa, we managed to change the DNS of the C&C servers, so all the bots where redirected to a sinkhole. That’s when we realized for the first time how huge was the botnet. We were able to see all the IP addresses of each and every bot that was trying to reach the C&C server to receive instructions. As you know, the number of IPs is not equivalent to the number of computers, as one computer can use multiple IP addresses, and many computers can use just 1 IP address (this usually happens in companies that connect to the Internet through a proxy server).

Before gathering all the info my guess was that most of the bots would be in the US, some countries in Western Europe, and some others in Asia (Japan, China). However, I was totally wrong. Here you can see a map, the darker the color the bigger the number of IPs:

Mariposa Worldm Map

As you can see, there are infections in almost every country around the world. These are the top 20 cities with more Mariposa bots worldwide:

# Cities % IPs
1 Seoul 5,36% 761,444
2 Bombay 4,45% 631,927
3 New Delhi 4,27% 605,518
4 Mexico 3,89% 551,705
5 Bogotá 2,68% 380,487
6 Lima 1,98% 281,103
7 Kiev 1,68% 238,611
8 Bangalore 1,39% 197,699
9 Islamabad 1,24% 176,049
10 Tehran 1,23% 174,455
11 Kuala Lumpur 1,16% 164,986
12 Madras 1,11% 157,070
13 Santiago 1,03% 145,838
14 Cairo 1,01% 143,187
15 Hyderabad 0,82% 116,352
16 Santo Domingo 0,75% 106,538
17 Rio De Janeiro 0,75% 106,066
18 Riyadh 0,72% 101,797
19 Medellín 0,65% 92,433
20 Dubai 0,63% 89,494

I have tried to represent all the cities in the world map, but drawing 31,901 different cities and towns is somehow complicated ;-)

Mariposa World Map Cities
These are the top 10 countries:

Top10 countries Mariposa
And the detail of the top 20 countries:

# Countries % IPs
1 INDIA 19,16% 2,717,812
2 MEXICO 12,86% 1,824,495
3 BRAZIL 7,75% 1,099,058
4 KOREA 7,25% 1,027,958
5 COLOMBIA 4,94% 700,680
6 RUSSIA 3,14% 445,293
7 EGYPT 3,00% 424,984
8 MALAYSIA 2,86% 406,129
9 UKRAINE 2,69% 381,975
10 PAKISTAN 2,55% 362,152
11 PERU 2,42% 342,876
12 IRAN 2,07% 293,673
13 SAUDI ARABIA 1,85% 262,465
14 CHILE 1,74% 246,941
15 KAZAKHSTAN 0,00% 196,383
16 UNITED ARAB EMIRATES 0,00% 163,440
17 MOROCCO 0,00% 160,059
18 ARGENTINA 0,00% 156,870
19 UNITED STATES 0,00% 148,818
20 BELARUS 0,00% 139,056
1 Seoul 5,36% 761,444
2 Bombay 4,45% 631,927
3 New Delhi 4,27% 605,518
4 Mexico 3,89% 551,705
5 Bogotá 2,68% 380,487
6 Lima 1,98% 281,103
7 Kiev 1,68% 238,611
8 Bangalore 1,39% 197,699
9 Islamabad 1,24% 176,049
10 Tehran 1,23% 174,455
11 Kuala Lumpur 1,16% 164,986
12 Madras 1,11% 157,070
13 Santiago 1,03% 145,838
14 Cairo 1,01% 143,187
15 Delhi 0,87% 124,057
16 Hyderabad 0,82% 116,352
17 Santo Domingo 0,75% 106,538
18 Rio De Janeiro 0,75% 106,066
19 Riyadh 0,72% 101,797
20 Medellín 0,65% 92,433

Post to Twitter

  • (1) Comment

Vodafone distributes Mariposa-like bot

Pedro Bustamante has just published a new blog post in the Panda Research blog, about a Mariposa-like bot as special gift in a new HTC distributed by Vodafone. For the same price you can be infected with other 2 ‘gifts’: Conficker and Lineage :(

Read the full story in Panda Research blog:

http://research.pandasecurity.com/vodafone-distributes-mariposa/

Post to Twitter

  • (1) Comment

The Thousand-Faced Rogue

We want to inform you of a new flood of email messages that seem to contain a postcard but are actually distributing malware. Concretely, we’ve seen several thousands in a few hours.

It’s not the first time we see emails like this in circulation, as subjects like “You’ve received a postcard” are very recurrent.

The message is like the following:

postcardzip_en

The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don’t suspect. In order to view the postcard, you have to open the attached file. It’s a file compressed with zip and if you run it, a rogueware program will be installed in your computer, which is different depending on the message and the operating system you have.

The following are some of the names of the fake antivirus that can be installed in your computer if you run this file:

% Antispyware 2010

Antivirus % 2010

% Guardian 2010

% Guardian

% Defender 2010

% Antivirus

% Antivirus 2010

% Antivirus Pro

% Antivirus Pro 2010

% Internet Security

% Internet Security 2010

where % stands for the operating system of the computer in which it is going to be installed. Some examples: XPAntispyware2010, Vista Guardian, Win 7 Antivirus Pro.

Let’s take as an example Antivirus XP 2010 and see the actions it carries out once it has been installed in the computer.

As every rogueware, it starts scanning the system to check if the computer is infected.

Once finished, it displays a list with the malware that has detected in your computer to make you believe that you’ve got a problem and that this program will offer you the solution:

AntivirusXP2010

However, all the malware it has detected makes reference to unexisting files, so the only threat you have is the own rogue.

Additionally, it prevents the execution of programs whose window title makes reference to the following programs:

Firefox

Several security suites.

When you try to run any of these, a message is displayed informing you that these programs are infected and recommending you to install the fake antivirus to solve the problem.

The following image belongs to the message that is displayed when Firefox is run:

Firefox_infected

It also contains code to uninstall different security solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.

Update:

When browsing through the Internet Explorer, from time to time it displays the following website, warning you that the website you’re going to access is dangerous:

AdwareAntivirusXP2010_img8

You can get more information about this rogue in the following link:

http://www.pandasecurity.com/homeusers/security-info/217799/AntivirusXP2010

Post to Twitter

  • (0) Comments

Mariposa botnet

MariposaimageIn May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.

Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
Once all the information had been compiled, the primary aim was to wrest control of the network from the cyber-criminals and identify them. Having located the Command & Control (C&C) servers from which commands were sent to the network, we were able to see the types of activities the botnet was being used for.  These mainly involved rental of parts of the botnet to other criminals, theft of confidential credentials from infected computers, changes on the results shown in search engines (such as Google, etc.), and displaying pop-up ads.

The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.

Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.

On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30,  a.k.a.  “jonyloleante”, and  J.B.R., 25, a.k.a. “ostiator”.  Both of them were arrested on February 24, 2010.

Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries.  Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

Data stolen includes bank account details, credit card numbers, user names, passwords, etc. The digital material seized during the arrest of Netkairo, members of the DDP Team, included stolen data belonging to more than 800,000 users.

The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars.

Analysis of Netkairo’s hard disks by the police is revealing a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable to antiviruses, anonymous VPN connections to administer the botnet, etc.

There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.

Among other activities, Panda has been contacting other IT security companies to provide access to samples of the bots so that we can all detect them. As such, if you want to know if you are infected with the bot, just scan your computer with a reliable and up-to-date antivirus solution.

During these days many people has been asking me in Twitter an easy way to check if their computers were infected. If you want you can use CloudAntivirus (free) or if you are already using an antivirus then you can just scan your system with our free online scanner ActiveScan. which can detect and disinfect the Mariposa samples as well as many other threats.

Post to Twitter

  • (14) Comments

Rogueware competing with Panda

If last week we talked about a rogueware program that had deliberately imitated Microsoft’s free antimalware protection called Security Essentials, today we’re going to show you a program that imitates Panda Security’s products, site, logo, etc.

You’ll probably have ever played the Find the differences game; it consists in finding the differences between two similar pictures.

Well, now I want to you to play the opposite game, find the correspondences between two apparently different pictures.

The pictures we’re going to compare are taken from our website and the rogueware’s website.

Let’s have a look at both of them:

Panda’s website:

Panda2010

Rogueware’s website:

Antivir2010

Well, they really look alike, don’t they? However, we must admit that this rogueware has not copied us completely, as it has taken its name (Antivir) from another antivirus company, Avira.

This is just another trick they use to deceive users and make them think these programs are reliable.

Post to Twitter

  • (0) Comments

Deceiving Flash Player Update

Today our lab has detected a flood of spam messages that contain a malicious link from which malware is downloaded. We’ve seen more than 8,000 in a few hours.

These emails have the following subjects:

Fw:

FW:

Re:

RE:FW:

Re:Fw:

RE:

The content of these messages is just a link to a website. The following are some examples:

http://anonym<blocked>files.reda.co.kr/archive0714/?id=email@domain.com

http://archiv<blocked>edv.kr/archive0714/?id=email@domain.com

http://filearch<blocked>redb.or.kr/archive0714/?id=email@domain.com

http://files.re<blocked>co.kr/archive0714/?id=email@domain.com

http://files4friend<blocked>s1e3eq.co.uk/archive0714/?id=email@domain.com

http://incogni<blocked>reda.ne.kr/archive0714/?id=email@domain.com

http://postca<blocked>yrxc.kr/archive0714/?id=email@domain.com

http://secretarc<blocked>redn.kr/archive0714/?id=email@domain.com

http://secretfi<blocked>yrxo.co.kr/archive0714/?id=email@domain.com

http://sendsp<blocked>yrxs.co.kr/archive0714/?id=email@domain.com

If you click the link included in the message, you’ll be redirected to a website that requires you to download and install a fake Flash Player update in order to view the website:

FlashPlayer

If you click the icon “Get Macromedia Flash Player”, a file called UPDATE.EXE will be downloaded to the computer. This file is not the latest version of Flash Player but a Trojan detected as Sinowal.WWY, which is designed to obtain information, like passwords, usernames or other confidential information.

Pay attention to the emails you receive in your inbox and if any of them is like this, just delete it.

Post to Twitter

  • (0) Comments

Teaching Some Security. Asking for help!

After yesterday’s epic fail (I’m still laughing) it’s time to do something about users’ education. Many times I wonder which the best approach to education is, and even though writing white papers and all that kind of serious stuff is useful, the average Joe user won’t ever read it. And that’s a fact.

So we could explore different approaches, and humor is one thing that can be used in order to raise awareness. Some weeks ago I found out a flash animation that lets you introduce some text that will appear on Bart’s school blackboard. So I started my “security lessons”, publishing 1 per day in Twitter. After more than 2 weeks I’ve received good feedback, so I will continue with these lessons. These are the ones I’ve published so far:

lesson1

Lesson 1

lesson2

Lesson 2

lesson3

Lesson 3

lesson4

Lesson 4

Lesson 5

Lesson 5

Lesson 6

Lesson 6

Lesson 7

Lesson 7

Lesson 8

Lesson 8

Lesson 9

Lesson 9

Lesson 10

Lesson 10

If you like the idea and want to help, just send me a message through Twitter or leave a comment on this post -yes, finally I’ve opened the comments’ section ;-) with the phrase you would like to see on Bart’s school blackboard.

Post to Twitter

  • (0) Comments

The biggest case of user failure in history?

A few days ago I came across one of the most hilarious and pitiful stories I have recently read. I couldn’t stop laughing, and still have a laugh now and then on recalling it. Let me share it with you so we can laugh together. It all began when the ReadWriteWeb blog heard about the deal between Facebook and AOL, and wrote a blog post about it. A Facebook icon like the one below was added at the beginning of the post:

facebook_logo
Everything was running as usual until Mike Melanson, author of the post, detected unusual activity. He had had more visits in that post in a single hour than on any other day.  Even the number of comments had massively increased. Everything seemed clear at that point: they were being attacked by spammers or were undergoing a DoS attack aimed at blocking the blog. Or so it seemed. However, on reading the comments, they seemed to have a common subject. The comments below are real comments, copied directly from the post:

-          Ok If I have to I will comment,I love facebook so right now just want to log in if thats ok with you..lol Keep up the good work…
-          ok cool now can I get to facebook
-          The new facebook sucks> NOW LET ME IN.
-          when can we log in?
-          I WANT THE OLD FAFEBOOK BACK THIS SHIT IS WACK!!!!!
-          just want to get on facebook
-          please give me back the old facebook login this is crazy……………..
-          I just want to log in to Facebook – what with the red color and all? LOLLLOLOL!!!!!111
-          I was just learning,why would you mess it up?
-          What is going on? You are totally confusing me. Knock-knock. Anybody there? Let me in.
-          All I want to do is log in, this sucks!!!!!!!!!!!!!!!!!1
-          LIKED THE OLD FACEBOOK SING IN………….
-          This is such a mess I can’t do a thing on my facebook .The changes you have made are ridiculous,I can’t even login!!!!!I am very upset!!!

Comment number 50 was different and read:

-          This is what happens when people use Google to enter sites instead of typing it on their address bar… Damn you all Farmville users…

What had happened? On looking for “Facebook Login” on Google, the second result returned was this post. What happened was that thousands of users, apparently unable to type www.facebook.com in their browsers, in order to access the largest social network in the world had gone to Google, typed “facebook login” and clicked the link nearest to the mouse cursor.

Having read this, let us laugh, shake hands and cry. Will we ever manage to train users? So far, the ReadWriteWeb post has almost 2,000 comments, and they have updated the blog post with this text:

Dear visitors from Google. This site is not Facebook. This is a website called ReadWriteWeb that reports on news about Facebook and other Internet services. You can however click here and become a Fan of ReadWriteWeb on Facebook, to receive our updates and learn more about the Internet. To access Facebook right now, click here. For future reference, type “facebook.com” into your browser address bar or enter “facebook” into Google and click on the first result. We recommend that you then save Facebook as a bookmark in your browser.

The story told by Mike is available at http://www.readwriteweb.com/archives/how_google_failed_internet_meme.php

Post to Twitter

  • (0) Comments

Rogueware competing with Microsoft

Today we’re going to talk about a rogueware program. To be honest, we’re fed up with seeing these programs everyday, because it’s always the same stuff, the same interfaces, the same icons, the same behaviour…and just another name.

As you know, these programs try to deceive you passing themselves off as real antivirus programs which will protect and disinfect your computer. Nothing further from the truth.

Nevertheless, we feel obliged to inform you and warn you of these programs, because we don’t want you to fall into the trap.

Recently, we’ve found a new rogueware which uses a very similar name to Microsoft’s free antimalware protection: Security Essentials.

Actually, this rogueware program is called Security essentials 2010. The name’s choice is not accidental, but carefully thought-out. It just wants to gain your trust and make you think that your computer is really infected and that it will remove the threats detected in your computer.

The following image belongs to the interface of the program:

AdwareSecurityEssentials2010_img2

As the other rogueware programs, it carries out a system scan and warns you that your computer is infected and that you should install a removal tool to disinfect it.

If you want to get more information about this rogueware, you can check it in the following link:

http://www.pandasecurity.com/homeusers/security-info/218061/SecurityEssentials2010

Post to Twitter

  • (0) Comments

Amazon and Greeting cards to distribute malware

We want to inform you of two different email messages we’ve been receiving lately in the lab in order to distribute malware designed to steal information.

One of them seems to have been sent by Amazon and informs you that they have received your payment and your order has been already sent. In order to check your tracking number, have a look at the attached document.

These messages have the following characteristics:

  • Subject:
    Amazon Shop!     Your order has been paid! Parcel NR.XXXX (XXXX are random digits)
  • Message:
    The content of the message is always the same, except for the item that has been ordered. We’ve detected emails using the following gadgets among many others: Sony VAIO VGC-JS230J, Apple iPhone 3G and Nokia E65.

    The following is an example:
    Hi!  Thank you for shopping at Amazon.com We have successfully received your payment.  Your order has been shipped to your billing address.   You have ordered ” Sony VAIO VGC-JS230J “  You can find your tracking number in attached to the e-mail  document.   Print the postal label to get your package.   We hope you enjoy your order! Amazon.com

  • Attachment: Postal_package_NRXXX.zip (XXX stands for random digits)

The attached file contains a copy of the malware, which has been detected as Sinowal.WVI.

The other type of emails uses a very typical bait to trick users: greeting cards. We’ve received nearly 5,000 messages in the last three days.

The  message is simple: someone has sent you a greeting card and to view it, you have to click the link included in the message.

If you follow the link, your computer will be infected by malware that is designed to obtain confidential information.

The message is like the following:

greeting_card_en

As you can see, there is a spelling mistake at the end of the message: instead of “available”, it says “aviailable”. This is one of the typical clues that can help you to distinguish between a real message and a fake one.

Be careful with these types of messages and if you receive a message like any of these mentioned above,  ignore it.

Post to Twitter

  • (0) Comments

  • Videos/Media

    Spam using Twitter and Youtube
    Spam using Twitter and Youtube

  • Popular Posts

  • Blogroll

  • Categories