Mariposa botnet

MariposaimageIn May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.

Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
Once all the information had been compiled, the primary aim was to wrest control of the network from the cyber-criminals and identify them. Having located the Command & Control (C&C) servers from which commands were sent to the network, we were able to see the types of activities the botnet was being used for.  These mainly involved rental of parts of the botnet to other criminals, theft of confidential credentials from infected computers, changes on the results shown in search engines (such as Google, etc.), and displaying pop-up ads.

The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.

Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.

On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30,  a.k.a.  “jonyloleante”, and  J.B.R., 25, a.k.a. “ostiator”.  Both of them were arrested on February 24, 2010.

Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries.  Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

Data stolen includes bank account details, credit card numbers, user names, passwords, etc. The digital material seized during the arrest of Netkairo, members of the DDP Team, included stolen data belonging to more than 800,000 users.

The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars.

Analysis of Netkairo’s hard disks by the police is revealing a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable to antiviruses, anonymous VPN connections to administer the botnet, etc.

There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.

Among other activities, Panda has been contacting other IT security companies to provide access to samples of the bots so that we can all detect them. As such, if you want to know if you are infected with the bot, just scan your computer with a reliable and up-to-date antivirus solution.

During these days many people has been asking me in Twitter an easy way to check if their computers were infected. If you want you can use CloudAntivirus (free) or if you are already using an antivirus then you can just scan your system with our free online scanner ActiveScan. which can detect and disinfect the Mariposa samples as well as many other threats.

Related News

42 Responses

Leave a Reply
  1. андроид программы
    Feb 07, 2011 - 09:22 AM

    how to check whether I is not infected with a bot?

    • Luis Corrons
      Feb 11, 2011 - 10:38 AM

      There are many ways, but the first one is to use some free virus scanner, from a different antivirus that the one you have in your computer, as a second opinion tool.

  2. autobuildit review
    Oct 22, 2011 - 07:42 PM

    I wanted to develop a quick comment in order to thank you for those splendid pointers you are giving out here. My time-consuming internet investigation has at the end been paid with incredibly good insight to write about with my friends. I ‘d point out that most of us website visitors actually are truly lucky to exist in a wonderful place with many lovely people with beneficial secrets. I feel quite grateful to have discovered the weblog and look forward to really more amazing moments reading here. Thank you once again for a lot of things.

  3. cell phone store
    Oct 29, 2011 - 01:43 PM

    Some truly howling work on behalf with the owner of this site , dead wonderful subject matter.

    Nov 13, 2011 - 01:31 PM

    its firs date to this blog, its nice ! keep work…..



  1. Vodafone distributes Mariposa botnet | Panda Research Blog
  2. Malware-Packed HTC Magic Sold, Shipped By Vodafone | Android Phone Fans
  3. Malware-Packed HTC Magic Sold, Shipped By Vodafone | The Androider
  4. Android Solutions » Blog Archive » Malware-Packed HTC Magic Sold, Shipped By Vodafone
  5. Malware-Packed HTC Magic Sold, Shipped By Vodafone - I love Cell Phones & Computers! - Cell Phones & PCs
  6. Planet Android » Blog Archive » Malware-Packed HTC Magic Sold, Shipped By Vodafone
  7. androfun - Malware-Packed HTC Magic Sold, Shipped By Vodafone
  8. Malware-Packed HTC Magic Sold, Shipped By Vodafone « Android Junkies
  9. NKM : 13 Millions de zombies!
  10. Malware-Packed HTC Magic Sold, Shipped By Vodafone | Android Mobile Device
  11. Tech Tuesday: Botnet Masters Arrested «
  12. Vodafone e la botnet Mariposa distribuita tramite telefonino | bruno trani dot info
  13. » Vodafone e la botnet Mariposa distribuita tramite telefonino
  14. » Anche i virus si evolvono e raggiungono la versione 3.0!
  15. HTC Magic distribuidas por Vodafone infectadas por un virus botnet | android marketiza
  16. Seminal Event in Takedownville? Not today. Not yet. Gamechanger #5 Botkills « Veiled Shadows
  17. Vodafone Spagna: nuovo caso di HTC Magic distribuito con botnet Mariposa | bruno trani dot info
  18. » Vodafone Spagna: nuovo caso di HTC Magic distribuito con botnet Mariposa
  19. How FBI, police busted massive botnet | SSTeam – Security Scene Team
  20. Banker Trojans Comprised More Than 60 Percent of New Threats Created in Q1, Finds PandaLabs | NEWS.GNOM.ES
  21. Blog Panda Portugal » Blog Archive » Banker Trojans representam 61% das novas ameaças no primeiro trimestre
  22. US Treasury Website Hacked Using Exploit Kit | PandaLabs Blog
  23. United States Treasury Website Hacked to Spread Eleonore Exploit Pack Malware | Malware Database
  24. U.S. Treasury Website Hacked Using Exploit Kit
  25. Gaza hacker Team, por Alá! | n o s l a n . c o m
  26. Mariposa: il creatore della botnet arrestato in Slovenia | bruno trani dot info
  27. » Mariposa: il creatore della botnet arrestato in Slovenia
  28. Mastermind of Mariposa Botnet, Largest in History, Arrested in Slovenia | Computer Talent
  29. Mariposa can no longer create a storm « Karela Fry
  30. Mayday, Mayday, Cloud under attack! » Welcome to
  31. Mariposa Botnet Miscreants Arrested, Incarcerated
  32. Mariposa botnet take down | Naked Security
  33. Panda Security Days in Sweden 2010 | PandaLabs Blog
  34. Introducing: Palevo Tracker |
  35. Palevo Tracker —
  36. Introducing: Palevo Tracker | Ontheweb
  37. The Return of Mariposa (Butterfly) Botnet

Leave a Reply

Your email address will not be published. Required fields are marked *