Mariposa FAQ

In response to a number of questions, we have prepared a short Q&A.

Q. How big is the botnet?
A. We estimate there to be between 150 to 200k compromised systems across 40,000 unique networks.

Q. What does it do?
A. It is designed for information theft, stealing passwords and personal credentials, but malware like this can be configured to do anything the attacker wants.
Q. Who created it?
A. That is still being investigated and we will work with law enforcement on the details.

Q. What banks/companies are involved? Who have you talked with?
A. We can’t release any specific names. We have contacted or attempted to contact all critical groups affected.

Q. When did you find it?
A. We have been tracking it since May of this year.

Q. What does Defence Intelligence do?
A. We specialize in compromise detection and prevention.

Q. How does it spread?
A. By default, the malware is designed to spread across instant messenger programs, USB keys, and P2P networks.

Q. What is Mariposa’s growth rate?
A. It’s current growth rate is 7,000 new compromised systems each day.

Q. Does AV detect it?
A. With 70 variants, some of them will be detected and some won’t.

Q. How to detect and fix it?
A. Until AV catches up, removal techniques will have to be determined by the individual.

Half of Fortune 100 Companies
Compromised by New Information
Stealing Trojan

The Butterfly Effect: Say Hello to Mariposa

Defence Intelligence has been tracking the growth of a new information stealing botnet we’ve named Mariposa. 50 of the world’s Fortune 100 companies are actively participating in this botnet as well as hundreds of government agencies, financial institutions, universities and corporate networks worldwide.

Since its discovery in May of 2009 we’ve identified Mariposa activity in tens of thousands of unique corporate networks. Over 70 variants have been identified with varying degrees of security and purpose, including code injection into known processes, email address harvesting, and additional malware downloads. The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection, but it does not reveal the number of controllers or the exact motivation behind the overall threat.

Believed to stem from the butterfly bot kit, formerly sold at, this botnet is successfully spreading across thousands of corporate networks, just as it was designed to do. From the site, butterflybot is a

“Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]”

Other methods may now be in place for propagation as well as capabilities for the bf botkit, but the original add-on features included Firefox and IE password harvesting, and TCP/UDP flooding. NetBIOS worm propagation and email address harvesting also appear to have become common additions.


Analysis of this botnet has revealed only one commonly identifiable piece of information. Companies wishing to determine if they have been compromised can watch for DNS queries to the domain:

Additionally, monitor for high DNS query volume to domains containing the keywords of “butterfly” or “bf” and/or mass UDP connection attempts to any of the following IPs:

For further information regarding this botnet, please contact

Riding the Green Wave.

Considering how many people are talking about what is and is not good for the health of this planet and that everyone should be doing their part to help the environment, you shouldn’t be surprised to hear that even cyber crime is going green. Staying relevant and socially aware are key in effective malware propagation, so criminals are adding `green` gimmickry to their rogue AV sales pitch. The cyber criminals’ have marketing departments too. Cyber criminals have re-branded their fake antivirus software so that it appeals to the environmentalists by having an “Environment care program. $2 from every sale we make will be sent on saving green forests in Amazonia.” It seems they need to work on their English translations. They also claim that when your computer has malware on it, your machine slows down, which means that it takes you longer to do things, and it uses more power. Using Green AV, they say, will clean and speed up your computer so that you don’t need to go out and buy a new one! Wow, that is really nice of them, and for only $99USD !!! What a deal! I am saving the environment one piece of malware at a time. Of the people that do end up downloading the software it does an unrequested fake scan and shows you bogus results that indicate that your machine is infected with a plethora of various trojans and does the opposite of what they say it will do, opening up a backdoor for them to have complete control of your machine. It’s humorous that they have a picture of a secure lock at the top of the page that says “Secure SLL Connection 100% Privacy Guarantee.” I am unsure what an SLL connection is but I believe they mean SSL (Secure Socket Layer). 100% Privacy when giving your information to the criminals is also false security. I guess this is so other criminals can’t get your information… real secure. The criminal underworld has evolved over the years, offering various product improvements like bug testing, constant updates to avoid detection, and even Windows-like “send error report” pop-ups that send crash information back to the malware creator so they can improve on their faults. I hate to give credit to the enemy, but they seem to be doing a better job than most of the good guys that are trying to stop them. That being said, you should be scared, or if you are too proud to be scared, you should at least be concerned. With detection rates as low as they are, the AV companies are being overwhelmed by over thirty thousand new pieces of malware a day. A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day. PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs. Fake antivirus software is everywhere and this environmentally focused approach will likely be ‘recycled’ by other criminal proponents of its spread. Remember though, just because it says it’s `green` it doesn’t mean it is good for you.B.Kilrea
Threat Analyst

The Future is Friendly

Just as so-called ‘early adopters’ and techno-geeks are always on the lookout for the latest and greatest in flashy technology, sophisticated botnet administration suites are the current must-have for cybercriminals. As bot malware becomes increasingly easy to propagate and successfully compromise massive network linked machines, the problem becomes not how to create a botnet, but how to control it. These administration suites provide better handling, control, and efficient management than their predecessors, giving their users a leg up on the competition.

The Fragus Exploit kit is a newcomer to the market, having improved upon the trend started by authors of such suites as the Liberty Exploit System and the Exp Eleonore Pack, Fragus is a grab bag of exploits for vulnerabilities in multiple software components. Similarities abound among these suites, from which vulnerabilities they exploit, to the layout and handling of the control panel, to the domains and IPs from which they can be downloaded. Liberty and Eleonore are both slightly older exploit kits whose latest versions have been updated to include much of the same functionality and easy-of-use as Fragus.

For the low price of 800 USD, Fragus is designed to simplify the administration of your bot network. It boasts support for English and Russian, statistical breakdowns of your botnet by browser, operating system (including version), by country, and by what’s euphemistically referred to as your “clients”.

Fragus comes pre-installed and ready to exploit:

MDAC – MS07-009, a vulnerability in MS Data Access Components which can allow remote code execution.

PDF – Targets 3 vulnerabilities in Acrobat Reader, util.printf, Collab.getIcon, and Collab.collectEmailInfo (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively)

DirectShow – MS09-032, exploits the MS Video (DirectShow) ActiveX Control vulnerability.

Internet Explorer – MS09-002, a critical vulnerability in IE7 that allows for memory corruption and remote code execution.

Spreadsheet – MS09-043, an ActiveX Control vulnerability is MS Office Web Components.

AOL WinAmp – another system vulnerable to an ActiveX Control exploit, (CVE-2007-6250)

Snapshot – MS08-041, an exploit targeted at MS Access Snapshot Viewer’s ActiveX Control vulnerability.

Flash – targets an integer flow vulnerability in Adobe Flash Player (CVE-2007-0071)

Some of the vulnerabilities have been patched for months or even years but their inclusion here indicates a high probability that numerous systems remain unpatched. Of greater interest is the MS09-043 vulnerability which, as of Fragus’ release, was only one month old. Increasingly, criminals are making use of recently released exploits. Obviously this tactic greatly increases their chances of success as many (if not most) people fall behind in their updates and will likely still be vulnerable to such a recent exploit.

For people concerned over spending $800 on an exploit pack only to have its payload identified by antivirus programs, for an extra $150 you will receive a proprietary encryption program specifically designed to evade detection.

Unsurprisingly, many of the domains and IPs at which Fragus is available have at one time or another hosted other sorts of malware, including the LIberty Exploit System, the Zeus trojan, and various other PDF and flash exploits.

The future of botnet administration is here now… and it sure is easy to use.

Meaghan Molloy
Threat Analyst
For a far more eloquent presentation of the facts, check out Paul Royal’s work at Purewire.

ConfickerC Update

OK just a quick update regarding ConfickerC numbers. 
I have seen published numbers that are all over the place *cough IBM/ISS cough*. 
Over the last 30 hours or so we recorded 9,795,101 raw (not unique IP) http connections to the sinkhole.
 As unique IPs go we recorded a total of 1,071,132 unique IPs from with in that 9+M. Now keep in mind, we have to think about DHCP churn, NAT (Firewalls, gateways, proxies, etc) So the number is obviously not a 100% true representation.  
Here is what the PER HOUR numbers look like from the sinkhole:


Something is rotten in the state of security.

Users of Symantec’s Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.

This wouldn’t be news in and of itself, but it seems that Symantec doesn’t want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.

Since they can’t turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.

ThreatExpert has a breakdown of PIFTS and its attempt to phone home here

VirusTotal shows no hits

Brian Krebs @ The Washington Post is trying to get some answers.

SANS Internet Storm Center writes that they’ve been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn’t intended to do any harm.

Nice of them to respond…

But won’t they let people talk about it on the msg boards?

Why the secrecy Symantec?

**Update** (courtesy of Brian Krebs @ The Washington Post)

“David Cole, senior director of product management at Symantec, said the PIFTS file was part of a ‘diagnostics patch’ shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.”

As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, “hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.”

This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like ‘hey, how come part of your software wants to access the Internet?’

Not exactly ban-worthy behaviour.

A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn’t that have saved everyone a lot of trouble?

Coin Toss

Go. Read the article.

Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.

It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.

A 50% success rate is unacceptable. It is a coin toss – 50/50 chance – that your network is secure.

“The average delay in detection and remediation was 54 days.”

54 days?! Two months?!

The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn’t in over two years.

Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.

Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.

This isn’t like having your house robbed.

It’s like having your house broken into and the robbers moving in and hiding in your closet for two months.

From home users to large corporate networks, we must – MUST – move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven’t the good guys evolved?

The numbers speak for themselves:

“About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware — even within organizations running up-to-date antimalware tools.”

“Antivirus software immediately discovered only 53 percent of malware samples.”

“Another 32 percent were found later on, and 15 percent were not detected at all.”

Now you may be thinking that 15% doesn’t sound like a lot, that maybe that’s an acceptable level of risk. Consider this:

Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!

The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.

15% of 19 million is a big number.

You really want to take that chance?

Is your computer watching you?

SecureWorks has a posting up discussing the Ozdok/Mega-D trojan and its ability to capture screenshots on the systems it’s infected. We’ve been talking about this for months! Ozdok is certainly not the only trojan with this ability, and the researchers are specifically talking about screenshots, but what about systems with webcams?

Think the bad guys know how to turn those on?

Check out the video posted in our Facebook group and find out!


We’re opening the office doors:

Defintel’s on Twitter. Check it out, drop us a line.

Facebook too. Join the Defintel group for botnet building videos, photos, and a chance to ask us questions about computers, security, videos games, comics, and just about anything else.

From the whole Definel team: