Mariposa Botnetbusted by Spanish Police.

Spanish Police yesterday arrested three alleged ringleaders of one of the largest Botnet’s ever reported on record. ‘Mariposa’ which is Spanish for Butterfly, was anything but small and delicate; infecting around 12.7 million computers in 190 countries and allowed hackers to gain remote access to PCs. Out of the millions affected, the botnet infiltrated more than 40 major banks and many high profile companies on the U.S. Fortune 1000 index. Christopher Davis, Chief Executive of security firm Defence Intelligence told the BBC “it would be easier for me to provide a list of the fortune 1000 companies that weren’t infected”.

Botnets are networks of infected PCs whose control gets handed over from their owners without knowing it through a software program and often into criminal hands. When linked together, this network of PCs present an enormous amount of information to spammers, hackers and internet attackers. The diagram below outlines how a Botnet works:

The Mariposa Botnet was discovered in May 2009; carefully monitored, and subsequently shut down in December 2009 thanks to the combined efforts of different security experts and law enforcement. Mariposa exploited a vulnerability in Microsoft’s Internet Explorer web browser and was programmed to secretly take control of infected machines. It would steal login credentials and record every key stroke on an infected computer before sending the data to a ‘command and control centre’ where the ringleaders would store it. Experts say it was even more sophisticated than that used to attack the Google computers in China.

The first gang member was arrested in early February when he logged into the network without disguising the address of his computer. His slip up gave investigators the links they needed to two more suspects who were arrested later in the month. The significance of these arrests is huge. Masterminds behind the larger of botnet schemes are rarely identified, let alone taken down. However, the geniuses behind the Mariposa botnet were not your stereotypical programmers. Pedro Bustamante, senior research advisor at Panda Security said, “Our preliminary analysis indicates that the botmasters did not have advanced hacking skills. This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled criminals to inflict major damage and financial loss.

Highlights from Panda Security’s preliminary analysis include:

• Once infected by the Mariposa bot client, the botmaster installed different malware (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc.) in order to gain additional functionality into the zombie PCs.
• The botmaster made money by selling parts of the botnet, installing pay-per-install toolbars, selling stolen credentials for online services and using the stolen banking credentials and credit cards to make transactions to overseas mules.
• The Mariposa botnet spread extremely effectively via P2P networks, USB drives, and MSN links.

Defence Intelligence and Panda Security are attempting to contact affected organisations. To find out if your organisation has been compromised, contact: compromise@defintel.com or info@pandasecurity.com.