One of the most interesting things in order to know how the bot behind Mariposa has been spreading is to study the geographical distribution of the infections. Unlike other cases, the Mariposa Working Group stats donâ€™t come from scanning PCs. In order to avoid the DDP Team from controlling Mariposa, we managed to change the DNS of the C&C servers, so all the bots where redirected to a sinkhole. Thatâ€™s when we realized for the first time how huge was the botnet. We were able to see all the IP addresses of each and every bot that was trying to reach the C&C server to receive instructions. As you know, the number of IPs is not equivalent to the number of computers, as one computer can use multiple IP addresses, and many computers can use just 1 IP address (this usually happens in companies that connect to the Internet through a proxy server).
Before gathering all the info my guess was that most of the bots would be in the US, some countries in Western Europe, and some others in Asia (Japan, China). However, I was totally wrong. Here you can see a map, the darker the color the bigger the number of IPs:
As you can see, there are infections in almost every country around the world. These are the top 20 cities with more Mariposa bots worldwide:
|17||Rio De Janeiro||0,75%||106,066|
I have tried to represent all the cities in the world map, but drawing 31,901 different cities and towns is somehow complicated 😉
These are the top 10 countries:
And the detail of the top 20 countries:
|16||UNITED ARAB EMIRATES||0,00%||163,440|