Mariposa botnet
Encyclopedia
The Mariposa botnet, discovered December 2008, is a botnet
mainly involved in cyberscamming
and denial of service attacks. Before the botnet itself was dismantled on December 23, 2009, it consisted of 8 to 12 million individual zombie computer
s infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.
Días de Pesadilla Team, English:
Nightmare Days Team), using a malware
program called "Butterfly bot", which was also sold to various individuals and organisations. The goal of this malware program was to install itself on an uninfected PC, monitoring activity for passwords, bank credentials and credit cards. After that the malware would attempt to self-propagate to other connectible systems using various supported methods, such as MSN
, P2P
and USB.
After completing its initial infection routine the malware would contact a command-and-control server within the botnet. This command and control server could be used by the controllers of the botnet, in order to issue orders to the botnet itself.
, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads.
Due to the size and nature of a botnet its total financial and social impact is difficult to calculate, but initial estimates calculated that the removal of the malware alone could cost "tens of millions of dollars". After the apprehension of the botnet's operators government officials also discovered a list containing personal details on 800.000 individuals, which could be used or sold for Identity theft
purposes.
and Panda Security, along with additional unnamed security researchers and law enforcement agencies. The goal of this group was the analysis and extermination of the Mariposa botnet itself.
On December 23, 2009 the Mariposa Working Group managed to take control of the Mariposa Botnet, after seizing control of the command-and-control servers used by the botnet. The operational owners of the botnet eventually succeeded in regaining control over the botnet, and in response launched a denial of service attack on Defence Intelligence. The attack itself managed to knock out Internet connectivity for a large share of the ISP's customers, which included several Canadian universities and government agencies.
On February 3, 2010, the Spanish national police
arrested Florencio Carro Ruiz (alias: Netkairo) as the suspected leader of the DDP Team. Two additional arrests were made on February 24, 2010. Jonathan Pazos Rivera (alias: Jonyloleante) and Juan Jose Bellido Rios (alias: Ostiator) were arrested on the suspicion of being members of DDP.
On July 28, 2010, the suspected creator of the "Butterfly bot" malware (known only by his alias "Iserdo") was arrested by Slovenian police.
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
mainly involved in cyberscamming
Confidence trick
A confidence trick is an attempt to defraud a person or group by gaining their confidence. A confidence artist is an individual working alone or in concert with others who exploits characteristics of the human psyche such as dishonesty and honesty, vanity, compassion, credulity, irresponsibility,...
and denial of service attacks. Before the botnet itself was dismantled on December 23, 2009, it consisted of 8 to 12 million individual zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.
Origins and initial spread
The botnet was originally created by the DDP Team (Spanish:Spanish language
Spanish , also known as Castilian , is a Romance language in the Ibero-Romance group that evolved from several languages and dialects in central-northern Iberia around the 9th century and gradually spread with the expansion of the Kingdom of Castile into central and southern Iberia during the...
Días de Pesadilla Team, English:
English language
English is a West Germanic language that arose in the Anglo-Saxon kingdoms of England and spread into what was to become south-east Scotland under the influence of the Anglian medieval kingdom of Northumbria...
Nightmare Days Team), using a malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
program called "Butterfly bot", which was also sold to various individuals and organisations. The goal of this malware program was to install itself on an uninfected PC, monitoring activity for passwords, bank credentials and credit cards. After that the malware would attempt to self-propagate to other connectible systems using various supported methods, such as MSN
Windows Live Messenger
Windows Live Messenger is an instant messaging client created by Microsoft that is currently designed to work with Windows XP , Windows Vista, Windows 7, Windows Mobile, Windows CE, Xbox 360, Blackberry OS, iOS, Java ME, S60 on Symbian OS 9.x and Zune HD...
, P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
and USB.
After completing its initial infection routine the malware would contact a command-and-control server within the botnet. This command and control server could be used by the controllers of the botnet, in order to issue orders to the botnet itself.
Operations and impact
The operations executed by the botnet were diverse, in part because parts of the botnet could be rented by third party individuals and organizations. Confirmed activities include denial of service attacks, e-mail spamE-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads.
Due to the size and nature of a botnet its total financial and social impact is difficult to calculate, but initial estimates calculated that the removal of the malware alone could cost "tens of millions of dollars". After the apprehension of the botnet's operators government officials also discovered a list containing personal details on 800.000 individuals, which could be used or sold for Identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
purposes.
Dismantling
In May 2009 the Mariposa Working Group (MWG) was formed as a informal group, composed of Defence Intelligence Inc., the Georgia Tech Information Security CenterGeorgia Tech Information Security Center
Georgia Tech Information Security Center is a department of Georgia Tech that deals with information security issues such as cryptography, network security, trusted computing, software reliability, privacy, and internet governance.-History:...
and Panda Security, along with additional unnamed security researchers and law enforcement agencies. The goal of this group was the analysis and extermination of the Mariposa botnet itself.
On December 23, 2009 the Mariposa Working Group managed to take control of the Mariposa Botnet, after seizing control of the command-and-control servers used by the botnet. The operational owners of the botnet eventually succeeded in regaining control over the botnet, and in response launched a denial of service attack on Defence Intelligence. The attack itself managed to knock out Internet connectivity for a large share of the ISP's customers, which included several Canadian universities and government agencies.
On February 3, 2010, the Spanish national police
Civil Guard (Spain)
The Civil Guard is the Spanish gendarmerie. It has foreign peace-keeping missions and maintains military status and is the equivalent of a federal military-status police force. As a police force, the Guardia Civil is comparable today to the French Gendarmerie, the Italian Carabinieri and the...
arrested Florencio Carro Ruiz (alias: Netkairo) as the suspected leader of the DDP Team. Two additional arrests were made on February 24, 2010. Jonathan Pazos Rivera (alias: Jonyloleante) and Juan Jose Bellido Rios (alias: Ostiator) were arrested on the suspicion of being members of DDP.
On July 28, 2010, the suspected creator of the "Butterfly bot" malware (known only by his alias "Iserdo") was arrested by Slovenian police.