Bringing down Mariposa

Johannesburg, 09 Mar 2010

How Mariposa worked

* Once a PC became infected with the Mariposa bot client, the botmaster installed different malware in order to gain additional functionality on the zombie PCs.
* The botmaster made money by selling parts of the botnet, installing pay-per-install toolbars, selling stolen credentials for online services, and using the stolen banking credentials and credit cards to make transactions to overseas mules.
* The Mariposa botnet spread extremely effectively via P2P networks, USB drives, and MSN links.

The Mariposa botnet, a massive network of infected computers designed to steal sensitive information, was recently shut down, according to IT security firms Defence Intelligence and Panda Security.

The battle, which began in May 2009, ended in the arrest of the suspected main botmaster, nicknamed 'Netkairo and 'hamlet1917', as well as his immediate botnet operator partners, 'Ostiator and 'Johnyloleante'.

The botnet was shut down and rendered inactive on 23 December last year, following the collaborative efforts of various security experts and law enforcement agencies, including Panda Security, Defence Intelligence, the FBI, and Spain's Guardia Civil.

With almost 13 million compromised computers, Mariposa is one of the largest botnets ever reported on record, notes Panda Security. Mariposa stole account information for social media sites and e-mail services, usernames, passwords, banking credentials, and credit card data by infiltrating an estimated 12.7 million compromised personal, corporate, government and university IP addresses in more than 190 countries.

“Our preliminary analysis indicates the botmasters did not have advanced hacking skills. This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss,” states Pedro Bustamante, senior research advisor at Panda Security.

According to the security firm, the Mariposa Working Group has officially seized control of the communication channels used by Mariposa, effectively severing the botnet from its criminal creators.

In an apparent act of retaliation, a distributed denial of service attack was initiated against Defence Intelligence shortly after the botnet was shut down in December.

“We will continue to fight the threat of botnets and the criminals behind them,” says Christopher Davis, CEO for Defence Intelligence. “We'll start by dismantling their infrastructure and won't stop until they're standing in front of a judge,” he concludes.