The mariposa architecture is connectionless by design since it is based on the UDP protocol. It can be assumed that the choice of UDP protocol is due to its covertness. As understood practice the UDP connections are not logged in firewalls and gateways. It is understood that the bot is endowed with two downloaders: The first one can download via HTTP, HTTPS and FTP protocols whereas the second downloads files via the ButterFly Network Protocol.
The computers had been hijacked by hackers after being infected by the polymorphic W32/Rimecud family of malware. Win32/Rimecud is a family of worms with multiple components that spreads via removable drives and instant messaging. It contains backdoor functionality that allows unauthorized access to an affected machine reports Microsoft. Mariposa bot toolkit comes with a built in polymorphic engine which enables bot-master to create encrypted bot code using different keys. More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, what users should be most wary of are information stealers that compromise not just banking information but also a user’s identity says Trend Micro. Operators of the Mariposa botnet concealed their access to central C&C servers behind anonymous VPN services to prevent trace back. Mariposa botnet communication uses its own protocol, based on UDP says literature.
Mariposa botnet malware infects through conventional techniques like P2P networks, infected USB drives, and MSN links directing surfers to infected websites. Once infected by the Mariposa bot client, compromised machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of infected systems. Mariposa has inbuilt capability to download and execute arbitrary executable programs on command. The malware has the capability to update on BotMaster’s command to new binary variants, thereby reducing or eliminating the detection rates of traditional host detection methods. The botmaster thus has extended ability to infinitely alter the functionality and capability of the malicious software beyond what is implemented during the initial compromise.
Christopher Davis, chief executive officer of Defence Intelligence, called Mariposa “a highly sophisticated piece of malicious software” that appears to be very selective in its targets. The Mariposa Working Group was established to counter the botnet. The botnet was shut down on 23 December 2009. The Mariposa botnet, which has been dismantled, was easily one of the world's biggest.
References
- http://en.wikipedia.org/wiki/Internet_bot
- http://community.trendmicro.com/t5/Web-Threat-Spotlight/Mariposa-Botnet-Uses-AutoRun-Worms-to-Spread/ba-p/4596
- http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Worm%3AWin32%2FRimecud.B
--
Dr.B.M
No comments:
Post a Comment