Threat Management, Malware, Patch/Configuration Management, Phishing, Vulnerability Management

India, Mexico, Brazil have most Mariposa bots

An analysis of the dismantled Mariposa botnet has revealed that it consisted of 13 million infected PCs spanning 190 countries and 31,901 cities worldwide, according to anti-virus vendor Panda Security.

The botnet, which took its name from the Spanish word for butterfly, infected PCs from almost every country around the world, stealing account information for social media sites, online email services, usernames and passwords, banking credentials, and credit card data, according to Panda. Compromised IP addresses included personal, corporate, government and university computers.

“It's huge,” Christopher Davis, CEO for information security firm Defence Intelligence, which first discovered Mariposa, told on Wednesday. “It's certainly one of the biggest [botnets] I have ever seen.”

The top five countries, by number of Mariposa-infected computers, were India, Mexico, Brazil, Korea and Columbia, according to Panda.

The investigation into the botnet is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars, Sean-Paul Correll, threat researcher at Panda, told Wednesday in an email.

“The primary motivation in cases like these is for the cybercriminals to reap financially,” he said.

After Mariposa was discovered last May, a group of international security experts and law enforcement agencies joined forces and formed what they called the Mariposa Working Group to disarm the botnet and prosecute the offenders.

Members of the working group were able to take control of the botnet's command-and-control structure that allowed attackers to relay information to and from compromised computers. The group then coordinated a worldwide shutdown of the botnet that occurred on Dec. 23.

“It was a really good coordination between companies that have to make money, researchers that don't really care about making money and law enforcement who can't really share what they are doing with us,” Davis said.

As a result of the collaboration, the primary botnet operators, nicknamed “Netkairo” and “hamlet1917”, as well as their partners, “Ostiator” and “Johnyloleante,” were arrested by Spanish law enforcement earlier this month.

In addition, members of the working group were able to redirect all bots to communicate with a server controlled by the group. This allowed security researchers to conduct the analysis of the botnet.

The malware was designed to spread through USB drives, instant messenger programs and on peer-to-peer (P2P) networks, Matt Thompson, principal developer at Defence Intelligence, who reverse-engineered the malware told on Wednesday. In addition, the malware attempted to spread on Microsoft's Internet Explorer (IE) 6 browser.

One way attackers spread the malware was by sending out malicious links in instant messages on MSN Messenger, Thompson said. When a user clicked on the link, it brought up a page that appeared to be an update for Adobe Flash Player. If that page was viewed using IE 6, the malware would be automatically installed via drive-by download, requiring no user interaction.

Once infected by Mariposa, the botmaster installed different malware, including keyloggers and banking trojans to gain additional functionality from infected PCs.

More than 2.7 million, or 19 percent, of all infected IP addresses were located in India, making it the top Mariposa-infected country, according Panda Security's analysis. Mexico came in second with approximately 1.8 million or 12.8 percent of infected IP addresses, followed by Brazil, then Korea, each with more than one million infected, and Columbia, with approximately 700,000.

Rounding out the top 10 of countries with the most Mariposa bots were Russia, Egypt, Malaysia, Ukraine and Pakistan, each with at least 360,000 infected IP addresses.

In the United States, there were 148,818 infected IP addresses.

The malware is still present on many PCs and USB drives, so it still spreading, Davis said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.