Defence Intelligence has received quite a few responses to our story on the Mariposa botnet. They have run the gamut from polite information inquiries to accusations of falsifying our findings for media coverage, and thinly veiled threats of legal action. A response of our own has become necessary and we hope it at least answers some common questions many of you have asked.
Who is Defence Intelligence?
To begin with we are not an anti-virus company. We have spent the last 14 years protecting companies from hackers, not viruses. Until just a few years ago a virus and a hacker had very little to do with each other. Viruses are annoying and at times destructive but pose very little actual threat to a company or government’s information and its assets. A hacker’s goal on the other hand is to stealthily gain control of a targeted system with the intent of stealing data, attacking the internal network, or using the controlled system to attack an external network.
In the last few years these two distinct threats have blended. Hackers have discovered that direct external attacks are unnecessary and risky. It is now easier to engineer malicious software that is delivered to a system remotely through various means. Once that malicious software is on an internal computer, it then communicates outbound to the hacker, handing them complete control of the affected system.
When a system is compromised in this manner the attack is all too often misunderstood and dismissed as a mere virus, not just by the victim but by those providing that victim’s system security.
The Defence Intelligence team comes from an information security background, and not an anti-virus background, which means we view things differently. Within incident response, multiple events form an incident and events are constructed using various components. IP addresses, domain names, binaries, people, companies, and networks are all parts of this particular incident, which in this case, is a botnet.
What is Mariposa?
Mariposa is a collection of compromised computers that are directly under the control of a single malicious entity. In the security industry we call this a botnet.
Mariposa is NOT a virus, or a worm, or a trojan or any other dated designation still inappropriately assigned to modern day malware. The malicious software used by Mariposa, and any other botnet, actively evolves to become whatever is needed by its controller and is not limited by the boundaries of antivirus labels. This means that a trojan can be told to spread like a worm. It means that malware designed to send spam can be instructed to steal banking information.
Modern malware can no longer be classified by its perceived purpose or propagation method because those change in an instant. This software is engineered to gain access to and maintain control over the victim machine, and infiltrating a user’s computer is not difficult. Using a variety of software exploits and social engineering tactics, an attacker will find a way to distribute his malware to his victims.
Panda Security released a report this week showing that almost 60% of all PCs that scanned their computer this month had malware of some kind on their system.
Once the malware is on the system it seeks communication with its controlling entity. With communication to the controlling entity, any compromised machine can be capable of carrying out any order issued by the botnet controller and any data on the compromised machine can be extracted for use, sale or distribution by the attacker.
Why did you call it Mariposa?
Our naming of this botnet as Mariposa has been a cause of concern for some. The confusion comes when antivirus companies or those using antivirus, search for the Mariposa name only to find no results. This is because Mariposa refers to the botnet and not the malware it utilizes.
The malware used by Mariposa goes by many names, and this is part of the problem. Even amongst antivirus groups and within their own companies it is difficult to find a common name for any one family of malware. Below are some of the names attributed to binaries which are used within Mariposa that are detected by McAfee and Trend. This provides a quality example for the current confusion in botnet malware identification.
| McAfee | Trend |
| W32/Autorun.worm.zzq | WORM_AUTORUN.ZRO |
| W32/Virut.n.gen | WORM_Generic.DIT |
| Downloader-BQP | TROJ_Generic.DIT |
| W32/Autorun.worm.zzk | PE_VIRUX.A |
| PWS-Zbot | WORM_PALEVO.T |
| Generic.dx!dpk | WORM_PALEVO.AZ |
| Downloader-BRW | WORM_PALEVO.AS |
| W32/Virut.j | WORM_AUTORUN.EUC |
| W32/Autorun.worm.fq | WORM_AUTORUN.EPB |
| W32/Autorun.worm.c | TSPY_ZBOT.SMQ |
| W32/Autorun.worm!bf | PE_VIRUX.F-1 |
| Generic.dx!la | PE_VIRUX.E |
| Generic.dx!ha | PE_VIRUX.D |
| Generic.dx!dqe | PE_VIRUX.C-1 |
| PE_VIRUX.A-3 | |
| PE_VIRUT.AP | |
| BKDR_VOTWUP.D |
It is our hope that perhaps not in our terminology, but with our methodology, that Defence Intelligence can provide some guidance to improve upon the multiple naming convention, allowing a clearer arena for botnet discussion and understanding.
Why didn’t my AV pick this up?
Using signatures and automated classification, especially when involving heuristics, results in a cacophony of naming options for every distinct variant of a given piece of malware. That said, many AV companies have had the ability to detect some variations of the malware behind Mariposa long before we became aware of this botnet’s activity.
With our approach to compromise detection, utilized by our Nemesis software, we can detect the botnet which allows the organization to track down systems affected by the malware, regardless of the variant or antivirus identification ability. While AV companies look at single binaries and classify based upon discrete behavior of code, or the packer that is used to obfuscate the binary, we look at the threat holistically, a macro versus micro approach.
At Defence Intelligence we consider the code used within Mariposa as only one identifying factor. Command structure is another. This is defined by domain names, IP addresses, and communication protocols and the fluctuation of each. We also consider the end point organization or individual over the botnet, ultimately any indicator as to who is responsible for the formation and/or control of the hosts affected by this malware.
With perpetual addition of variants and updates, the reliance on AV detection to keep pace is not advised. Virustotal is a free web based service that analyzes files through multiple antivirus engines, revealing their detection capability of any suspected malware. The following is a virustotal output on one of the malicious binaries related to Mariposa.
| Antivirus | Version | Last Update | Result |
| a-squared | 4.5.0.24 | 2009.07.24 | – |
| AhnLab-V3 | 5.0.0.2 | 2009.07.24 | – |
| AntiVir | 7.9.0.228 | 2009.07.24 | – |
| Antiy-AVL | 2.0.3.7 | 2009.07.24 | – |
| Authentium | 5.1.2.4 | 2009.07.24 | – |
| Avast | 4.8.1335.0 | 2009.07.24 | – |
| AVG | 8.5.0.387 | 2009.07.24 | – |
| BitDefender | 7.2 | 2009.07.24 | – |
| CAT-QuickHeal | 10 | 2009.07.24 | – |
| ClamAV | 0.94.1 | 2009.07.24 | – |
| Comodo | 1742 | 2009.07.24 | – |
| DrWeb | 5.0.0.12182 | 2009.07.24 | – |
| eSafe | 7.0.17.0 | 2009.07.23 | Suspicious File |
| eTrust-Vet | 31.6.6637 | 2009.07.24 | – |
| F-Prot | 4.4.4.56 | 2009.07.23 | – |
| F-Secure | 8.0.14470.0 | 2009.07.24 | – |
| Fortinet | 3.120.0.0 | 2009.07.24 | – |
| GData | 19 | 2009.07.24 | – |
| Ikarus | T3.1.1.64.0 | 2009.07.24 | – |
| Jiangmin | 11.0.800 | 2009.07.24 | – |
| K7AntiVirus | 7.10.800 | 2009.07.23 | – |
| Kaspersky | 7.0.0.125 | 2009.07.24 | – |
| McAfee | 5686 | 2009.07.23 | – |
| McAfee+Artemis | 5686 | 2009.07.23 | – |
| McAfee-GW-Edition | 6.8.5 | 2009.07.24 | Heuristic.LooksLike.Worm.Palevo.B |
| Microsoft | 1.4903 | 2009.07.24 | – |
| NOD32 | 4273 | 2009.07.24 | – |
| Norman | 2009.07.22 | – | |
| nProtect | 2009.1.8.0 | 2009.07.24 | – |
| Panda | 10.0.0.14 | 2009.07.24 | – |
| PCTools | 4.4.2.0 | 2009.07.23 | – |
| Prevx | 3 | 2009.07.24 | – |
| Rising | 21.39.42.00 | 2009.07.24 | Trojan.Win32.DangerGL.a |
| Sophos | 4.44.0 | 2009.07.24 | Mal/EncPk-IY |
| Sunbelt | 3.2.1858.2 | 2009.07.23 | – |
| Symantec | 1.4.4.12 | 2009.07.24 | – |
| TheHacker | 6.3.4.3.373 | 2009.07.24 | – |
| TrendMicro | 8.950.0.1094 | 2009.07.24 | PAK_Generic.001 |
| VBA32 | 3.12.10.9 | 2009.07.24 | suspected of Malware-Cryptor.Win32.General.3 |
| ViRobot | 2009.7.24.1851 | 2009.07.24 | – |
| VirusBuster | 4.6.5.0 | 2009.07.23 | – |
| Additional information |
| File size: 123392 bytes |
| MD5 : 6939c088f59258da7410f66837c62192 |
| SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8 |
| SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a |
As you can see, only 6 of the 41 antivirus groups was able to detect the malware. Once again, the naming is inconsistent. Given time however, most antivirus companies are able to identify the same binary.
| Antivirus | Version | Last Update | Result |
| a-squared | 4.5.0.24 | 2009.09.29 | P2P-Worm.Win32.Palevo!IK |
| AhnLab-V3 | 5.0.0.2 | 2009.09.29 | – |
| AntiVir | 7.9.1.27 | 2009.09.29 | – |
| Antiy-AVL | 2.0.3.7 | 2009.09.29 | – |
| Authentium | 5.1.2.4 | 2009.09.29 | – |
| Avast | 4.8.1351.0 | 2009.09.28 | Win32:MalOb-H |
| AVG | 8.5.0.412 | 2009.09.29 | SHeur2.ASQE |
| BitDefender | 7.2 | 2009.09.29 | Trojan.Generic.2263367 |
| CAT-QuickHeal | 10.00 | 2009.09.29 | – |
| ClamAV | 0.94.1 | 2009.09.29 | – |
| Comodo | 2469 | 2009.09.29 | Heur.Suspicious |
| DrWeb | 5.0.0.12182 | 2009.09.29 | Trojan.Packed.541 |
| eSafe | 7.0.17.0 | 2009.09.29 | Suspicious File |
| eTrust-Vet | 31.6.6768 | 2009.09.29 | – |
| F-Prot | 4.5.1.85 | 2009.09.29 | – |
| F-Secure | 8.0.14470.0 | 2009.09.29 | Packed.Win32.Krap.y |
| Fortinet | 3.120.0.0 | 2009.09.29 | – |
| GData | 19 | 2009.09.29 | Trojan.Generic.2263367 |
| Ikarus | T3.1.1.72.0 | 2009.09.29 | P2P-Worm.Win32.Palevo |
| Jiangmin | 11.0.800 | 2009.09.27 | – |
| K7AntiVirus | 7.10.856 | 2009.09.29 | P2P-Worm.Win32.Palevo.jaz |
| Kaspersky | 7.0.0.125 | 2009.09.29 | Packed.Win32.Krap.y |
| McAfee | 5755 | 2009.09.28 | W32/Autorun.worm.zzq |
| McAfee+Artemis | 5755 | 2009.09.28 | W32/Autorun.worm.zzq |
| McAfee-GW-Edition | 6.8.5 | 2009.09.29 | Heuristic.LooksLike.Win32.NewMalware.B |
| Microsoft | 1.5005 | 2009.09.23 | VirTool:Win32/Obfuscator.FL |
| NOD32 | 4467 | 2009.09.29 | a variant of Win32/Kryptik.LR |
| Norman | 6.01.09 | 2009.09.29 | – |
| nProtect | 2009.1.8.0 | 2009.09.29 | Trojan/W32.Agent.123392.EB |
| Panda | 10.0.2.2 | 2009.09.28 | Trj/CI.A |
| PCTools | 4.4.2.0 | 2009.09.29 | – |
| Prevx | 3.0 | 2009.09.29 | Medium Risk Malware |
| Rising | 21.49.14.00 | 2009.09.29 | Trojan.Win32.DangerGL.a |
| Sophos | 4.45.0 | 2009.09.29 | Mal/EncPk-IY |
| Sunbelt | 3.2.1858.2 | 2009.09.29 | Trojan.Win32.Generic!BT |
| Symantec | 1.4.4.12 | 2009.09.29 | Spyware.Screenspy |
| TheHacker | 6.5.0.2.021 | 2009.09.28 | – |
| TrendMicro | 8.500.0.1002 | 2009.09.29 | WORM_AUTORUN.ZRO |
| VBA32 | 3.12.10.11 | 2009.09.29 | Malware-Cryptor.Win32.General.3 |
| ViRobot | 2009.9.29.1963 | 2009.09.29 | – |
| VirusBuster | 4.6.5.0 | 2009.09.29 | – |
File size: 123392 bytes MD5 : 6939c088f59258da7410f66837c62192 SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8 SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a
So I just need to wait for an update to my AV then?
If malware were to remain static and unchanged an identification and removal option would eventually be provided by your antivirus of choice. At that point, however, the malware has likely fulfilled any of its initial goals and its removal would be a futile and meaningless task. Unfortunately, Mariposa does not use static malware.
Malware authors often update their code to evade detection as well as try different configurations, all of which result in a new malware variant. Mariposa has over 70 variants, resulting in a persistent and dynamic botnet.
One example is this update file recently dropped onto a compromised system as instructed by the Mariposa botnet controller. Virustotal shows that only two of the 41 AV groups currently detect it.
File svc.exe received on 2009.09.29 15:27:36 (UTC) Current status: finished Result: 2/41 (4.88%)
http://www.virustotal.com/analisis/7987d324cedbfeb9df94f7cbaf0ed2091431d6443c5b5fbff6ad7a7c380bf8d3-1254238056
A signature may soon come out for this code from your AV vendor, but by that time, a new piece of code may be written and downloaded that bypasses AV yet again.
Well, how do I stop this thing?
As IPs, ports, and domains involved in the command structure of Mariposa are changing, it becomes difficult for security administrators to mitigate the ability of this botnet. At this time we suggest an approach of tracking down the compromised systems rather than establish rules to block the communication to the botnet controller. UDP connections are still actively used for Mariposa communication, so observance of your network activity is the best place to start. If one system is frequently sending data across the outbound UDP protocol, regardless of port, mark it as suspicious and consider removing it from the network. Your own remediation technique is up to you but reimaging, though time consuming, is the only confident way to cleanse a compromised machine.
So what is Defence Intelligence doing about this?
As before we are contacting companies that have been affected by Mariposa. We also have other researchers and companies looking to help out in this mitigation effort and the formation of a small working group with these individuals is taking place. Updates on this and other Mariposa details will follow.
var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
document.write(unescape(“%3Cscript src='” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));
try {
var pageTracker = _gat._getTracker(“UA-11400163-2”);
pageTracker._trackPageview();
} catch(err) {}