tumblr hit counter

Mariposa botnet

Mar 3

MariposaimageIn May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.

Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
Once all the information had been compiled, the primary aim was to wrest control of the network from the cyber-criminals and identify them. Having located the Command & Control (C&C) servers from which commands were sent to the network, we were able to see the types of activities the botnet was being used for.  These mainly involved rental of parts of the botnet to other criminals, theft of confidential credentials from infected computers, changes on the results shown in search engines (such as Google, etc.), and displaying pop-up ads.

The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.

Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.

On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30,  a.k.a.  “jonyloleante”, and  J.B.R., 25, a.k.a. “ostiator”.  Both of them were arrested on February 24, 2010.

Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries.  Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

Data stolen includes bank account details, credit card numbers, user names, passwords, etc. The digital material seized during the arrest of Netkairo, members of the DDP Team, included stolen data belonging to more than 800,000 users.

The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars.

Analysis of Netkairo’s hard disks by the police is revealing a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable to antiviruses, anonymous VPN connections to administer the botnet, etc.

There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.

Among other activities, Panda has been contacting other IT security companies to provide access to samples of the bots so that we can all detect them. As such, if you want to know if you are infected with the bot, just scan your computer with a reliable and up-to-date antivirus solution.

During these days many people has been asking me in Twitter an easy way to check if their computers were infected. If you want you can use CloudAntivirus (free) or if you are already using an antivirus then you can just scan your system with our free online scanner ActiveScan. which can detect and disinfect the Mariposa samples as well as many other threats.

Post to Twitter

  • (42) Comments

Comments

  1. how to check whether I is not infected with a bot?

  2. autobuildit review says:

    I wanted to develop a quick comment in order to thank you for those splendid pointers you are giving out here. My time-consuming internet investigation has at the end been paid with incredibly good insight to write about with my friends. I ‘d point out that most of us website visitors actually are truly lucky to exist in a wonderful place with many lovely people with beneficial secrets. I feel quite grateful to have discovered the weblog and look forward to really more amazing moments reading here. Thank you once again for a lot of things.

  3. Some truly howling work on behalf with the owner of this site , dead wonderful subject matter.

  4. JOCURI SLOT says:

    its firs date to this blog, its nice ! keep work…..

Trackbacks

  1. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named [...]

  2. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  3. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  4. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  5. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  6. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  7. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  8. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  9. [...] un réseau de 13 millions de zombies, contenait des tonnes d’informations personnelles : Mariposa, un botnet. C’est à dire que le zombie intercepte le maximum de données sur le PC ( saisie [...]

  10. [...] analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the [...]

  11. [...] March 9, 2010 tags: botnet by حديقة أزهار The guys behind a 12M+ infected hosts botnet dubbed Mariposa, were arrested in a cooperative effort between law enforcement, security vendors and the academic [...]

  12. [...] dell’antivirus permette alla donna e al suo collega autore del post di scovare la botnet Mariposa, infilata direttamente nel cellulare inviato da Vodafone e pronta a fare danni sul PC al quale [...]

  13. [...] dell’antivirus permette alla donna e al suo collega autore del post di scovare la botnet Mariposa, infilata direttamente nel cellulare inviato da Vodafone e pronta a fare danni sul PC al quale [...]

  14. [...] quale l’utente desidera sincronizzare lo smartphone, ad una botnet abbastanza pericolosa, la Mariposa. Tanto per non farsi mancare nulla, il device commercializzato dalla Vodafone comprende, in bundle [...]

  15. [...] un archivo autorun.inf que ejecuta un autorun.exe malicioso, que acaba por instalar un cliente del botnet Mariposa. Se activa al conectar el móvil al PC y lo pone al servicio de los ciberdelincuentes. Una mirada [...]

  16. [...] Botnet – Technical details … Spanish Amateurs?  – NO JAIL TIME, weak laws, SPANISH SAID so. They got out of jail [...]

  17. [...] di Panda Security che vedeva un HTC Magic distribuito da Vodafone in Spagna con preinstallata la botnet Mariposa, un altro caso analogo è emerso sempre nella stessa nazione e sempre dallo stesso [...]

  18. [...] di Panda Security che vedeva un HTC Magic distribuito da Vodafone in Spagna con preinstallata la botnet Mariposa, un altro caso analogo è emerso sempre nella stessa nazione e sempre dallo stesso [...]

  19. [...] blog post by Panda Software explains what happened next. Netkairo finally regained control of Mariposa and [...]

  20. [...] seen considerable activity in 2010. For example, Panda Security played a key role in dismantling Mariposa, one of the largest botnets known to date, and subsequently detected Mariposa malware on y Vodafone [...]

  21. [...] uma actividade significativa noutras áreas da segurança informática, com o desmantelamento da Mariposa, uma das maiores botnets identificadas até hoje, num esforço conjunto entre a Panda Security e as [...]

  22. [...] Time and time again we talk about how amateur and professional hackers alike are able to use automated toolkits which can identify security vulnerabilities on a computer and exploit them with little or no technical skill necessary for the cyber criminal.  The  spirited script kiddies behind these kits have been running  havoc on the Internet, as many of the kits available can be downloaded in underground forums for free.   Today, we came across an embedded iframe inside of the Department of Treasury website.   This iframe (pictured below) is used to silently load one of the exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site. US Treasury Website – Injected iframe [...]

  23. [...] Time and time again we talk about how amateur and professional hackers alike are able to use automated toolkits which can identify security vulnerabilities on a computer and exploit them with little or no technical skill necessary for the cyber criminal.  The  spirited script kiddies behind these kits have been running  havoc on the Internet, as many of the kits available can be downloaded in underground forums for free.   Today, we came across an embedded iframe inside of the Department of Treasury website.   This iframe (pictured below) is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site. US Treasury Website – Injected iframe [...]

  24. [...] Time and time again we talk about how amateur and professional hackers alike are able to use automated toolkits which can identify security vulnerabilities on a computer and exploit them with little or no technical skill necessary for the cyber criminal.  The  spirited script kiddies behind these kits have been running  havoc on the Internet, as many of the kits available can be downloaded in underground forums for free.   Today, we came across an embedded iframe inside of the Department of Treasury website.   This iframe (pictured below) is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site. [...]

  25. [...] ahora mismo pudiese alquilar parte de la bot net MARIPOSA (me conformaría con un par de millones de pc’s zombie) para hacerles una serie de ataques brutos [...]

  26. [...] creatore della botnet Mariposa sarebbe stato identificato in un cittadino sloveno di 23 anni, conosciuto sulla rete col nickname [...]

  27. [...] creatore della botnet Mariposa sarebbe stato identificato in un cittadino sloveno di 23 anni, conosciuto sulla rete col nickname [...]

  28. [...] Learn More about the Mariposa Botnet case here… This entry was posted in Security Threats, Tech News. Bookmark the permalink. ← World’s Cheapest Laptop: $35 Tablet Computer from India will Revolutionize Education [...]

  29. [...] a comment » The backstory of the long hard fight against a botnet was carried by PandaLabs: In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. [...]

  30. [...] can also start to cover their traces and make themselves ‘protected’. Panda Labs has the Mariposa-botnet analysis example of non-sophisticated but effective botnet activity. It is difficult to [...]

  31. [...] of the arrest and subsequent incarceration of the creators of the botnet monikered ‘Mariposa‘. In an operation comprised [in partnership] of the FBI, the Spanish Guardia Civil and the [...]

  32. [...] suggest that the subsequent actions of one of the alleged ringleaders (attempting to regain control of the [...]

  33. [...] year Luis Corrons had a very interesting presentation on the Mariposa botnet-operation, how it operated, who were behind it and how the Mariposa Working Group managed to take it down and [...]

  34. [...] (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called [...]

  35. [...] known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they [...]

  36. [...] (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called [...]

  37. [...] had spread swiftly and broadly, plaguing computers across all continents on the globe. According to researchers, Mariposa infected more than 12 million computers from over 190 countries, including computers of [...]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories