In March earlier this year, Spanish police arrested three men
linked to the Mariposa botnet. After this move it was widely believed that the
massive botnet had shutdown. From what I have seen over the last week,
that is not the case. Some Mariposa CnCs are still active and spreading. The screen shot below is a snapshot
of a Mariposa sample (ad7a5b6755089ba83001f224a7067ec1)
communicating to its CnC. On this occasion it received a command to spread
through
0000 00 03 ff 22 7f 48 90 e6 ba b8 8f 7a 08 00 45
00 ...".H.....z..E.
0010 00 22 00 00 40 00 35 11 97 fd ae 8a 3c 46 c0
a8 ."..@.5.....<F..
0020 02 55 d1 97
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
0x01 0x0a 0x70 0xe2 0xf90x c7:
0x01 is the protocol opcode
0x0a 0x70 is the sequence number and the key to decrypt the message.
0xe2 0xf9 0xc7 is the encrypted message which decrypts to “11 75 31” or
11 u 1
The “u1” commands enables
It seems that either Spanish police have
not been able to apprehend the entire Mariposa gang or the botnet CnC has some
sort of auto-pilot mode. This might seem bit star-warish to some but it isn’t
really that hard to do. A simple implementation could be to program the CnC to
periodically change the commands. All this brings home a very important lesson
in shutting down major botnets. Even if the bot masters are arrested, you still
have to shut down the CnC. Unless that is done, the infrastructure is still there,
it still lives, and it can continue to spread and cause harm.
How could Mariposa be shut down:
Step 1: Take over all Mariposa CnC DNS records.
Make them resolve to a server in your control. This would require the
corporation of Domain name registration corporations, who are mostly
cooperative when there is clear evidence of malicious activity.
Step 2: Now that the Mariposa botnets are
connecting to your own server you have effectively taken over command of
the botnet. You can choose to do nothing at this point, since the infected PC
won’t do anything because their CnC is silent. This would leave a lot of
Mariposa zombies around the world doing nothing. If you want to go
a step further and remove these zombies continue to step 3
Step 3: You can remove these zombies by
making them download a removal tool of sorts but in the case of Mariposa, one can remove these zombies without
actually having the zombies download anything. There is a command in the Mariposa
CnC protocol called “alinfiernoya” which is Spanish and translates to “to hell now”. This
command effectively removes the bot on the infected PC. Beware, there are all sorts of legal issues around messing with someone else's system, even if you're trying to help.
Haroon W Malik @ FireEye Malware Intelligence Lab
Detailed Question/Comments : research SHIFT-2 fireeye DOT COM
Mariposa was named for one particular botnet that used the Butterfly bot malware.
What you have here is Butterfly malware botnet for sure. It is not Mariposa though. We suspect the un-named botnet you are blogging about could be bigger than Mariposa ever was.
We have 1292 MD5 unique binaries in our analysis system that relate to your blog post. If you would like them, we would be glad to provide them to you.
Cheers!
Chris Davis - Defence Intelligence
Posted by: Chris Davis | 2010.06.21 at 07:04 AM
Maybe you just need to understand that mariposa was sold. Iserdo coded it and sold a builder so everyone can make a "mariposa" botnet. There are dozens in the wild.
He´s still active and sells a nwe botnet called butterfly flooder
Posted by: omfgwallhax | 2010.06.21 at 03:06 AM