The Mariposa Botnet: How It Worked and Was Stopped

Author

Reads 9.6K

Mariposa
Credit: pexels.com, Mariposa

The Mariposa botnet was a massive cyber threat that wreaked havoc on the internet in 2009. It was estimated to have infected over 12 million computers worldwide.

The botnet was created by a group of hackers known as "The Pack", who used a complex system of command and control servers to manage the infected computers. These servers were located in over 2,000 different IP addresses across the globe.

The Mariposa botnet was designed to steal sensitive information such as login credentials, credit card numbers, and online banking details. It did this by installing a keylogger on infected computers, which recorded every keystroke made by the user.

The botnet was also used to spread malware and conduct DDoS attacks on its victims.

Malware Details

The Mariposa botnet was a highly dynamic threat, with its C2 operators frequently updating their code to evade detection or implement new features. This made it difficult for organizations to keep up with the malware's evolution.

Credit: youtube.com, CIC News 11-08-2012: Anonymous,F-Secure,Mariposa

One of the malware files associated with Mariposa was "schl.exe", a dropper that was found in deleted files on a system at USUTIL1. The file was discovered as part of the company's internal investigation into the malware.

The malware also dropped other files, including "jack.exe" and "config.inf", which were found on multiple systems that were attempting to make UDP connections with systems outside of their firewall. This suggests that the malware was designed to spread quickly and evade detection.

Malware Files

The Mariposa malware uses a variety of files to carry out its malicious activities.

One of the malware files is "schl.exe", which is a dropper.

Another file associated with Mariposa is "jack.exe", a dropped file.

Additionally, "config.inf" and "desktop.ini" are also dropped files.

It's worth noting that "desktop.ini" is a 0-byte file located at the source of the originally executed file.

These files are not the only ones associated with Mariposa, as botnets, including Mariposa, are highly dynamic and frequently updated to evade detection or implement new features.

For example, "blackjackson.exe" has also been identified as a file associated with Mariposa, providing it with distributed denial-of-service (DDoS) capability by using the BlackEnergy DDoS bot.

See what others are reading: DDoS Attacks on Dyn

Domain Names Used as C2 Servers

Credit: youtube.com, Real world examples of malware using DNS for exfiltration and C&C channels

Domain names can be used as command and control servers, which are a type of malware that allows attackers to remotely control infected devices.

These servers are often disguised as legitimate websites, making it difficult to detect them. For example, the domain name "bf2back.sinip.es" has been observed as a C2 server.

Some C2 servers are hosted on free or low-cost domain name registrars, making them easier to set up and maintain. Others are hosted on more traditional registrars.

The following domain names have been identified as C2 servers:

  • bf2back.sinip.es
  • bfisback.no-ip.org
  • binaryfeed.in
  • booster.estr.es
  • butterfly.BigMoney.biz
  • defintelsucks.com
  • defintelsucks.net
  • gusanodeseda.mobi
  • gusanodeseda.net
  • legionarios.servecounterstrike.com
  • mierda.notengodominio.com
  • sexme.in
  • shv4.no-ip.biz
  • tamiflux.net
  • tamiflux.org
  • thejacksonfive.biz
  • youare.sexidude.com
  • yougotissuez.com

Infection and Control

The Mariposa botnet was a massive network of compromised computers that was used for various malicious activities, including spreading malware and stealing sensitive information.

It's estimated that the botnet infected over 12 million computers worldwide, making it one of the largest botnets ever discovered.

The botnet was controlled through a central command and control (C2) server, which allowed the attackers to remotely manage the infected computers and carry out their malicious activities.

Credit: youtube.com, Mariposa Botnet Demo

The C2 server was located in Brazil and was used to distribute malware, steal sensitive information, and even hijack online banking sessions.

The malware used by the Mariposa botnet was designed to steal sensitive information, including login credentials, credit card numbers, and other personal data.

Infected computers were often used to spread spam and phishing emails, which were used to trick victims into revealing their sensitive information.

The Mariposa botnet was eventually dismantled in 2009, but not before it had caused significant damage and stolen sensitive information from millions of computers worldwide.

The takedown of the botnet was the result of a joint effort by law enforcement agencies from around the world, who worked together to identify and disrupt the C2 server.

Dismantling and Operations

The Mariposa botnet was a massive operation that was eventually dismantled by a group of security researchers and law enforcement agencies.

The Mariposa Working Group, formed in May 2009, successfully took control of the botnet on December 23, 2009, by seizing the command-and-control servers used by the botnet.

Check this out: Anti-Spam Research Group

Credit: youtube.com, How to Stop an Army of 14 Million Zombie Computers🎙Darknet Diaries Ep. 94: Mariposa Botnet

However, the operational owners of the botnet regained control and launched a denial-of-service attack on Defence Intelligence, knocking out internet connectivity for a large share of the ISP's customers, including several Canadian universities and government agencies.

The suspected leader of the DDP Team, Florencio Carro Ruiz, was arrested on February 3, 2010, and two additional members, Jonathan Pazos Rivera and Juan José Ríos Bellido, were arrested on February 24, 2010.

Matjaž Škorjanc, the creator of the "Butterfly bot" malware, was arrested in 2011 and later convicted in Slovenia of creating malicious computer programs and money laundering, receiving a 4-year and 10-month sentence and a fine of €3,000.

Callbacks

Callbacks are a crucial part of the malware's communication system.

The initial outbound packet is 49 bytes to hnox.org or socksa.com, using UDP port 21039.

This packet is used to establish the C2 channel, which is a key part of the malware's operation.

The C2 server responds from 21039 to the same local port, with a UDP packet of varying length and encrypted payload.

This response packet is consistent with the Mariposa botnet's command syntax, indicating a possible connection to that malware family.

The encrypted payload suggests that the communication is secure, but also makes it difficult to intercept and analyze the data being exchanged.

Dismantling

Investigators and Arrested Criminal Inside the Room
Credit: pexels.com, Investigators and Arrested Criminal Inside the Room

The Mariposa Working Group was formed in May 2009 as an informal group to analyze and dismantle the Mariposa botnet.

The group consisted of Defence Intelligence, the Georgia Tech Information Security Center, and Panda Security, along with additional unnamed security researchers and law enforcement agencies.

On 23 December 2009, the Mariposa Working Group successfully took control of the Mariposa Botnet by seizing the command-and-control servers used by the botnet.

The operational owners of the botnet regained control and launched a denial-of-service attack on Defence Intelligence, knocking out internet connectivity for many of its customers, including several Canadian universities and government agencies.

Florencio Carro Ruiz, alias Netkairo, was arrested on 3 February 2010 as the suspected leader of the DDP Team.

Jonathan Pazos Rivera, alias Jonyloleante, and Juan José Ríos Bellido, alias Ostiator, were arrested on 24 February 2010 as suspected members of DDP.

Matjaž Škorjanc, the creator of the "Butterfly bot" malware, was arrested in Maribor by Slovenian police in July 2010, but released due to lack of evidence.

He was arrested again in October 2011 and eventually convicted in December 2013 of creating a malicious computer program and money laundering.

A different take: Anti-Phishing Working Group

Operations and Impact

Virus Logo on a Computer Screen
Credit: pexels.com, Virus Logo on a Computer Screen

The operations executed by the botnet were diverse, in part because parts of the botnet could be rented by third-party individuals and organizations.

Confirmed activities include denial-of-service attacks, email spam, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads.

The total financial and social impact of the botnet was difficult to calculate, but initial estimates calculated that the removal of the malware alone could cost "tens of millions of dollars".

A list containing personal details on 800,000 individuals was discovered by government officials, which could be used or sold for identity theft purposes.

The countries most infected by the botnet were India, Mexico, Brazil, and South Korea.

Technical Details

Mariposa botnet malware was first discovered in 2010 when a US utility company's employee visited another utility company's office with an infected laptop. The malware had gone undetected by the company's network defense mechanisms.

Credit: youtube.com, PandaLabs reveals the keys of Mariposa Botnet YouTube

The initial infection vector was likely a USB drive shared at an industry conference. An instructor had shared a USB drive among participants at a training event attended by the employee, who then brought the malware back to his company's network.

The malware was able to spread to multiple business systems, but fortunately, none of the company's control systems were affected. The malware file "Schl.exe" was found in deleted files on one system, indicating that the malware had been present but had been deleted.

The Mariposa malware was observed using the following UDP ports: 343134355907343334372103934345906

Outbound Command and Control Attempts

The Mariposa malware was observed making UDP C2 connections with various IP addresses, indicating an attempt to communicate with its command and control center.

ICS-CERT identified several IP addresses that were being targeted by the malware, including 24.173.86.145, 67.210.170.32, and 92.241.165.162.

These IP addresses were being used by the malware to send and receive commands, allowing its creators to remotely control infected systems.

Here's a list of the IP addresses that were observed being targeted by the malware:

  • 24.173.86.145
  • 67.210.170.32
  • 92.241.165.162
  • 62.128.52.191
  • 74.208.162.142
  • 200.74.244.84
  • 66.197.176.41
  • 76.73.56.12
  • 204.16.173.30
  • 67.210.170.131
  • 87.106.179.75

Dns Lookups

Credit: youtube.com, What Is A DNS Lookup And How Do I Perform One? - TheEmailToolbox.com

DNS lookups are a crucial part of the internet's infrastructure. They're like a phonebook for the internet, helping your device find the IP address associated with a domain name.

A DNS lookup typically takes around 20-120 milliseconds to complete, although this can vary depending on the speed of your internet connection and the complexity of the lookup.

The average person performs around 100 DNS lookups per day, without even realizing it. This is because many websites and online services rely on DNS lookups to function properly.

A single DNS lookup can involve multiple servers and networks, making it a complex process. This is why it's essential to have a fast and reliable DNS service to ensure smooth internet browsing.

The most common type of DNS lookup is an A record lookup, which returns the IP address associated with a domain name. This is the most common type because it's used by most websites and online services.

DNS lookups can also be affected by the type of DNS protocol used. For example, DNS over HTTPS (DoH) is a more secure protocol that encrypts DNS traffic, making it more resistant to tampering and eavesdropping.

If this caught your attention, see: Fighting Internet and Wireless Spam Act

Schl Exe

Crop hacker silhouette typing on computer keyboard while hacking system
Credit: pexels.com, Crop hacker silhouette typing on computer keyboard while hacking system

Schl Exe is a malware file associated with the Mariposa botnet. It was found in deleted files on one system during USUTIL1's internal investigation.

The file "Schl.exe" is identified as a dropper, which is a type of malware that downloads and installs additional malicious files. This is a key characteristic of the Mariposa botnet.

USUTIL1's investigation found that the Schl.exe file was attempting to make UDP connections with systems outside of their firewall. This suggests that the malware was trying to communicate with its command and control (C2) servers.

The Schl.exe file is associated with the following domains and IP addresses: hnox.org (92.241.165.162), socksa.com (92.241.164.82), and ronpc.net (92.241.164.82), all using UDP port 21039.

Episodes and Miscellaneous

The Mariposa botnet was a massive network of compromised computers that spread malware through phishing emails and exploited vulnerabilities in software.

It operated from 2007 to 2009, with the peak of its activity in 2008.

The botnet was estimated to have infected over 12 million computers worldwide.

Credit: youtube.com, COMPRENDRE LES BOTNETS | Armes de guerre numérique [🛡️ VULINFO]

Mariposa was used to steal sensitive information, including login credentials and credit card numbers.

The malware was able to spread through a vulnerability in the Windows operating system and also through social engineering tactics.

The botnet was dismantled in 2009 by law enforcement agencies in several countries.

The operation involved the coordination of over 100 law enforcement agencies worldwide.

The takedown of Mariposa was a significant achievement, demonstrating the effectiveness of international cooperation in combating cybercrime.

Wm Kling

Lead Writer

Wm Kling is a seasoned writer with a passion for technology and innovation. With a strong background in software development, Wm brings a unique perspective to his writing, making complex topics accessible to a wide range of readers. Wm's expertise spans the realm of Visual Studio web development, where he has written in-depth articles and guides to help developers navigate the latest tools and technologies.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.