After the recent worldwide shutdown of the Mariposa botnet –in a joint operation by Panda Security, Defence Intelligence, the FBI and the Spanish Guardia Civil, resulting in three arrests-, it has been discovered that the massive botnet had infected 13 million computers in 190 countries and 31,901 cities.

According to Luis Corrons, Technical Director of PandaLabs, “The highest infection ratios are found in countries where computer security education is not a priority. However, in countries where computer security awareness campaigns have been run over the last few years, like the United States, Germany, UK or Japan, the number of infections has been much less.”

The cities most affected have been Seoul (5.36% of compromised IP addresses), Bombay (4.45%) and New Delhi (4.27%). The top 20 is as follows:

1 Seoul 5.36%
2 Bombay 4.45%
3 New Delhi 4.27%
4 Mexico 3.89%
5 Bogota 2.68%
6 Lima 1.98%
7 Kiev 1.68%
8 Bangalore 1.39%
9 Islamabad 1.24%
10 Tehran 1.23%
11 Kuala Lumpur 1.16%
12 Madras 1.11%
13 Santiago 1.03%
14 Cairo 1.01%
15 Hyderabad 0.82%
16 Santo Domingo 0.75%
17 Rio de Janeiro 0.75%
18 Riyadh 0.72%
19 Medellín 0.65%
20 Dubai 0.63%

As for countries, the ranking is headed by India (19.14% of all infections), followed by Mexico (with 12.85%) and Brazil (7.74%). The top 20 is as follows: (this pic is available at: )
http://www.flickr.com/photos/panda_security/4419015337/
Country %
INDIA 19.14
MEXICO 12,85
BRAZIL 7.74
KOREA 7.24
COLOMBIA 4.94
RUSSIA 3.14
EGYPT 2.99
MALAYSIA 2.86
UKRAINE 2.69
PAKISTAN 2.55
PERU 2.42
IRAN 2.07
SAUDI ARABIA 1.85
CHILE 1.74
KAZAKHSTAN 1.38
UNITED ARAB EMIRATES 1.15
MOROCCO 1.13
ARGENTINA 1.10
UNITED STATES 1.05

“The coordinated effort of all the parties involved in the Mariposa Working Group led to the worldwide shutdown of the Mariposa botnet on December 23 at 5:00 PM (GMT +1). On that date, we seized control of the communication channels used by Mariposa, effectively severing the botnet from its criminal creators and redirecting all request to a server controlled by us. It was then that we realized the huge number of IP addresses controlled by the bot, almost 13 million, and found out about the high number of affected countries and cities”, explains Corrons.

He goes on to say, “The compromised IP addresses include both personal and corporate computers. The global infection map is as follows:”  (Pic available at: Map Mariposa Infection http://www.flickr.com/photos/panda_security/4419780176/ )

The Georgia Institute of Technology has plotted the progress of the Mariposa Botnet in an animation available at http://fritz.cc.gt.atl.ga.us/mariposa/mariposa_major_victim_areas.avi. David Dagon, Ph.D. Candidate at the Georgia Institute of Technology, reflects on the Mariposa geographical distribution: “I think a remarkable aspect of this botnet is that it reverses the normal expectations about infections. Usually, the press tells us that ‘eastern’ botmasters are attacking ‘western’ victims.  (E.g., Russian botmasters and US/EU victims.)  In Mariposa, we tend to see the opposite: some botmasters in the west, and victims in the east.  The lesson learned is: We all face a common threat.”

Panda Security recommend that all users – home users and companies alike – perform an in-depth scan of their computers to make sure they are not infected by the Mariposa bot. They can do so by using the free online scanner Panda ActiveScan or downloading the free cloud-based solution Panda Cloud Antivirus from www.cloudantivirus.com.