Mariposa Botnet

Understanding Bots as a technology has emerged as a critical skill in the information era. This article is focused in understanding Mariposa. Botnet Mariposa was reported by defense intelligence some time during May of 2009. Trend micro says that the worm has been in existence as early as December 2008.

It is learnt that the reported botnet was named after the Spanish word for "butterfly" as documented across the Internet. It had silently enrolled almost 13 million computers in more than 190 countries. The computers had been hijacked by hackers after being infected by the polymorphic W32/Rimecud family of malware.  Win32/Rimecud is a family of worms with multiple components that spreads via removable drives and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine reports Microsoft. More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, what users should be most wary of are information stealers that compromise not just banking information but also a user’s identity says Trend Micro

Mariposa botnet malware infects through conventional techniques like  P2P networks, infected USB drives, and  MSN links directing surfers to infected websites. Once infected by the Mariposa bot client, compromised machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of infected systems. Mariposa has inbuilt capability to download and execute arbitrary executable programs on command.  The malware has the capability to update on BotMaster’s command to new binary variants, thereby reducing or eliminating the detection rates of traditional host detection methods. The botmaster thus has extended ability to infinitely alter the functionality and capability of the malicious software beyond what is implemented during the initial compromise.   

Christopher Davis, chief executive officer of Defence Intelligence, called Mariposa “a highly sophisticated piece of malicious software” that appears to be very selective in its targets. The botnet was shut down on 23 December 2009. The Mariposa botnet, which has been dismantled, was easily one of the world's biggest.

References

1. http://en.wikipedia.org/wiki/Internet_bot 
2. http://community.trendmicro.com/t5/Web-Threat-Spotlight/Mariposa-Botnet-Uses-AutoRun-Worms-to-Spread/ba-p/4596 
3.  http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Worm%3AWin32%2FRimecud.B

--

Dr.B.M