Mariposa FAQ

In response to a number of questions, we have prepared a short Q&A.

Q. How big is the botnet?
A. We estimate there to be between 150 to 200k compromised systems across 40,000 unique networks.

Q. What does it do?
A. It is designed for information theft, stealing passwords and personal credentials, but malware like this can be configured to do anything the attacker wants.
Q. Who created it?
A. That is still being investigated and we will work with law enforcement on the details.

Q. What banks/companies are involved? Who have you talked with?
A. We can’t release any specific names. We have contacted or attempted to contact all critical groups affected.

Q. When did you find it?
A. We have been tracking it since May of this year.

Q. What does Defence Intelligence do?
A. We specialize in compromise detection and prevention.

Q. How does it spread?
A. By default, the malware is designed to spread across instant messenger programs, USB keys, and P2P networks.

Q. What is Mariposa’s growth rate?
A. It’s current growth rate is 7,000 new compromised systems each day.

Q. Does AV detect it?
A. With 70 variants, some of them will be detected and some won’t.

Q. How to detect and fix it?
A. Until AV catches up, removal techniques will have to be determined by the individual.

Half of Fortune 100 Companies
Compromised by New Information
Stealing Trojan

The Butterfly Effect: Say Hello to Mariposa

Defence Intelligence has been tracking the growth of a new information stealing botnet we’ve named Mariposa. 50 of the world’s Fortune 100 companies are actively participating in this botnet as well as hundreds of government agencies, financial institutions, universities and corporate networks worldwide.

Since its discovery in May of 2009 we’ve identified Mariposa activity in tens of thousands of unique corporate networks. Over 70 variants have been identified with varying degrees of security and purpose, including code injection into known processes, email address harvesting, and additional malware downloads. The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection, but it does not reveal the number of controllers or the exact motivation behind the overall threat.

Believed to stem from the butterfly bot kit, formerly sold at, this botnet is successfully spreading across thousands of corporate networks, just as it was designed to do. From the site, butterflybot is a

“Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]”

Other methods may now be in place for propagation as well as capabilities for the bf botkit, but the original add-on features included Firefox and IE password harvesting, and TCP/UDP flooding. NetBIOS worm propagation and email address harvesting also appear to have become common additions.


Analysis of this botnet has revealed only one commonly identifiable piece of information. Companies wishing to determine if they have been compromised can watch for DNS queries to the domain:

Additionally, monitor for high DNS query volume to domains containing the keywords of “butterfly” or “bf” and/or mass UDP connection attempts to any of the following IPs:

For further information regarding this botnet, please contact

Riding the Green Wave.

Considering how many people are talking about what is and is not good for the health of this planet and that everyone should be doing their part to help the environment, you shouldn’t be surprised to hear that even cyber crime is going green. Staying relevant and socially aware are key in effective malware propagation, so criminals are adding `green` gimmickry to their rogue AV sales pitch. The cyber criminals’ have marketing departments too. Cyber criminals have re-branded their fake antivirus software so that it appeals to the environmentalists by having an “Environment care program. $2 from every sale we make will be sent on saving green forests in Amazonia.” It seems they need to work on their English translations. They also claim that when your computer has malware on it, your machine slows down, which means that it takes you longer to do things, and it uses more power. Using Green AV, they say, will clean and speed up your computer so that you don’t need to go out and buy a new one! Wow, that is really nice of them, and for only $99USD !!! What a deal! I am saving the environment one piece of malware at a time. Of the people that do end up downloading the software it does an unrequested fake scan and shows you bogus results that indicate that your machine is infected with a plethora of various trojans and does the opposite of what they say it will do, opening up a backdoor for them to have complete control of your machine. It’s humorous that they have a picture of a secure lock at the top of the page that says “Secure SLL Connection 100% Privacy Guarantee.” I am unsure what an SLL connection is but I believe they mean SSL (Secure Socket Layer). 100% Privacy when giving your information to the criminals is also false security. I guess this is so other criminals can’t get your information… real secure. The criminal underworld has evolved over the years, offering various product improvements like bug testing, constant updates to avoid detection, and even Windows-like “send error report” pop-ups that send crash information back to the malware creator so they can improve on their faults. I hate to give credit to the enemy, but they seem to be doing a better job than most of the good guys that are trying to stop them. That being said, you should be scared, or if you are too proud to be scared, you should at least be concerned. With detection rates as low as they are, the AV companies are being overwhelmed by over thirty thousand new pieces of malware a day. A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day. PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs. Fake antivirus software is everywhere and this environmentally focused approach will likely be ‘recycled’ by other criminal proponents of its spread. Remember though, just because it says it’s `green` it doesn’t mean it is good for you.B.Kilrea
Threat Analyst

The Future is Friendly

Just as so-called ‘early adopters’ and techno-geeks are always on the lookout for the latest and greatest in flashy technology, sophisticated botnet administration suites are the current must-have for cybercriminals. As bot malware becomes increasingly easy to propagate and successfully compromise massive network linked machines, the problem becomes not how to create a botnet, but how to control it. These administration suites provide better handling, control, and efficient management than their predecessors, giving their users a leg up on the competition.

The Fragus Exploit kit is a newcomer to the market, having improved upon the trend started by authors of such suites as the Liberty Exploit System and the Exp Eleonore Pack, Fragus is a grab bag of exploits for vulnerabilities in multiple software components. Similarities abound among these suites, from which vulnerabilities they exploit, to the layout and handling of the control panel, to the domains and IPs from which they can be downloaded. Liberty and Eleonore are both slightly older exploit kits whose latest versions have been updated to include much of the same functionality and easy-of-use as Fragus.

For the low price of 800 USD, Fragus is designed to simplify the administration of your bot network. It boasts support for English and Russian, statistical breakdowns of your botnet by browser, operating system (including version), by country, and by what’s euphemistically referred to as your “clients”.

Fragus comes pre-installed and ready to exploit:

MDAC – MS07-009, a vulnerability in MS Data Access Components which can allow remote code execution.

PDF – Targets 3 vulnerabilities in Acrobat Reader, util.printf, Collab.getIcon, and Collab.collectEmailInfo (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively)

DirectShow – MS09-032, exploits the MS Video (DirectShow) ActiveX Control vulnerability.

Internet Explorer – MS09-002, a critical vulnerability in IE7 that allows for memory corruption and remote code execution.

Spreadsheet – MS09-043, an ActiveX Control vulnerability is MS Office Web Components.

AOL WinAmp – another system vulnerable to an ActiveX Control exploit, (CVE-2007-6250)

Snapshot – MS08-041, an exploit targeted at MS Access Snapshot Viewer’s ActiveX Control vulnerability.

Flash – targets an integer flow vulnerability in Adobe Flash Player (CVE-2007-0071)

Some of the vulnerabilities have been patched for months or even years but their inclusion here indicates a high probability that numerous systems remain unpatched. Of greater interest is the MS09-043 vulnerability which, as of Fragus’ release, was only one month old. Increasingly, criminals are making use of recently released exploits. Obviously this tactic greatly increases their chances of success as many (if not most) people fall behind in their updates and will likely still be vulnerable to such a recent exploit.

For people concerned over spending $800 on an exploit pack only to have its payload identified by antivirus programs, for an extra $150 you will receive a proprietary encryption program specifically designed to evade detection.

Unsurprisingly, many of the domains and IPs at which Fragus is available have at one time or another hosted other sorts of malware, including the LIberty Exploit System, the Zeus trojan, and various other PDF and flash exploits.

The future of botnet administration is here now… and it sure is easy to use.

Meaghan Molloy
Threat Analyst
For a far more eloquent presentation of the facts, check out Paul Royal’s work at Purewire.