Defence Intelligence has been tracking the growth of a new information stealing botnet we’ve named Mariposa. 50 of the world’s Fortune 100 companies are actively participating in this botnet as well as hundreds of government agencies, financial institutions, universities and corporate networks worldwide.
Since its discovery in May of 2009 we’ve identified Mariposa activity in tens of thousands of unique corporate networks. Over 70 variants have been identified with varying degrees of security and purpose, including code injection into known processes, email address harvesting, and additional malware downloads. The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection, but it does not reveal the number of controllers or the exact motivation behind the overall threat.
Believed to stem from the butterfly bot kit, formerly sold at bfsecurity.net, this botnet is successfully spreading across thousands of corporate networks, just as it was designed to do. From the bfsecurity.net site, butterflybot is a
“Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]”
Other methods may now be in place for propagation as well as capabilities for the bf botkit, but the original add-on features included Firefox and IE password harvesting, and TCP/UDP flooding. NetBIOS worm propagation and email address harvesting also appear to have become common additions.
Analysis of this botnet has revealed only one commonly identifiable piece of information. Companies wishing to determine if they have been compromised can watch for DNS queries to the domain:
Additionally, monitor for high DNS query volume to domains containing the keywords of “butterfly” or “bf” and/or mass UDP connection attempts to any of the following IPs:
For further information regarding this botnet, please contact firstname.lastname@example.org.