Friday, October 9, 2009

Mariposa Botnet Analysis

Spread the word about Defence Intelligence. Sharing is caring.


*** Update ***

An updated version of the Mariposa Technical Analysis can be found at http://defintel.com/docs/Mariposa_Analysis.pdf

***

Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

  • lalundelau.sinip.es
  • bf2back.sinip.es
  • thejacksonfive.mobi
  • butterfly.BigMoney.biz
  • bfisback.sinip.es
  • qwertasdfg.sinip.es

Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at defintel.com

6 comments:

MEBENDAZOLE said...

The Mariposa Botnet got shut down the other day. I got infected with it two days before that. Is it still a threat to me even though I have been infected by it and that it has been shut down. Also I used Malwarebytes to delete it from my computer and it worked so i thought. The minute i opened Mozilla Firefox or Internet Explorer it would reinstall itself. If i delete it again will it still come back? If so does anyone know how to permanently get rid of this annoying thing without it reinstalling itself and without getting my Hard Drive reformatted or wiped. The Malware pop up i get is Security Antivirus By melacare forte cream

Felix Smith said...
This comment has been removed by the author.
Felix Smith said...
This comment has been removed by a blog administrator.
Felix Smith said...
This comment has been removed by the author.
Felix Smith said...
This comment has been removed by a blog administrator.
Pavitra Rishta said...

Thanks for making reference to such useful details. It is very effective and useful. It will definitely protect enough time. Excellent post.
online billing software