MariposaimageIn May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record.

Initial steps involved the creation of the Mariposa Working Group (MWG), comprising Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with other international security experts and law enforcement agencies. The aim was to set up a task force to eradicate the botnet and bring the perpetrators to justice.
Once all the information had been compiled, the primary aim was to wrest control of the network from the cyber-criminals and identify them. Having located the Command & Control (C&C) servers from which commands were sent to the network, we were able to see the types of activities the botnet was being used for.  These mainly involved rental of parts of the botnet to other criminals, theft of confidential credentials from infected computers, changes on the results shown in search engines (such as Google, etc.), and displaying pop-up ads.

The aim, in all cases, was clearly to profit from the botnet. The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.

Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.

On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.
Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30,  a.k.a.  “jonyloleante”, and  J.B.R., 25, a.k.a. “ostiator”.  Both of them were arrested on February 24, 2010.

Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries.  Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

Data stolen includes bank account details, credit card numbers, user names, passwords, etc. The digital material seized during the arrest of Netkairo, members of the DDP Team, included stolen data belonging to more than 800,000 users.

The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars.

Analysis of Netkairo’s hard disks by the police is revealing a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable to antiviruses, anonymous VPN connections to administer the botnet, etc.

There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.

Among other activities, Panda has been contacting other IT security companies to provide access to samples of the bots so that we can all detect them. As such, if you want to know if you are infected with the bot, just scan your computer with a reliable and up-to-date antivirus solution.

During these days many people has been asking me in Twitter an easy way to check if their computers were infected. If you want you can use CloudAntivirus (free) or if you are already using an antivirus then you can just scan your system with our free online scanner ActiveScan. which can detect and disinfect the Mariposa samples as well as many other threats.