It seems that long after we identified and took down Mariposa, bad folks are still using the butterfly kit behind it to build large botnets.
There’s been some coverage around the EvilFistSquad/Metulji takedown recently, and given the relationship to Mariposa, I thought I’d say a few words.
A few points:
Mariposa is back?
EvilFistSquad/Metulji is not Mariposa. It is similar in intent and based on the same butterfly kit.
How big is it?
Like Mariposa, it’s impossible to tell for certain. Even if all command and control domains were seized, dynamic ips, NATs/firewalls, etc. make it impossible to be sure. By all accounts, it’s big.
Who is behind it?
The FBI and Interpol arrested two individuals earlier this month in connection with this botnet. It is unclear, but likely, that other operators are still at large.
Is it still active?
Some of the command and control domains have been taken down, but not all. Compromised systems are still losing data.
What we can learn from this:
What this takedown shows us is that you needn’t be technically proficient or even all that clever to amass millions of victims. Think about it:
The creator of butterfly was arrested and had his equipment seized. The authorities have all his transaction details and know who purchased the kit.
The botmasters raised suspicions by extravagant spending.
The botmasters used their real names and addresses in some cases.
As Luis Carrons from Panda was quoted as saying: “Obviously, those bot masters are either not concerned about going to jail or just plain stupid.”
This case also goes to show just how difficult these botnets can be to dismantle. Even when the malware is known, even when the attackers are less than gifted, it can still be incredibly difficult to take down a botnet. Mariposa was a rare slam dunk in that we were able to gain control of all of the C&C domains simultaneously and redirect them to our space.
Working with Panda and the FBI for the Mariposa takedown was a pleasure, and I’m glad to see that they’re staying on top of all the butterflies out there. This is another example of how Law Enforcement, Researchers, and the private sector can work together to be more effective in the fight against online crime.
Congratulations to all those who worked on this, keep up the good fight.