Tuesday, March 2, 2010

Panda Security Collaborates on Shutdown of Massive Mariposa Botnet

The Mariposa botnet, a massive network of 13 million infected computers designed to steal sensitive information, has been shutdown and three suspected criminals accused of operating the botnet have been arrested by Spanish law enforcement.

According to IT security firms Panda Security and Defence Intelligence, Mariposa stole account information for social media sites and other online email services, usernames and passwords, banking credentials, and credit card data through infiltrating an estimated 12.7 million compromised personal, corporate, government and university IP addresses in more than 190 countries. The botnet was shutdown and rendered inactive on December 23rd, 2009 thanks to the collaborative effort of different security experts and law enforcement, including Panda Security, Defence Intelligence, the FBI and Spanish Guardia Civil.

"It would be easier for me to provide a list of the Fortune 1000 companies that weren't compromised, rather than the long list of those who were," stated Christopher Davis, CEO for Defence Intelligence, who first discovered the Mariposa botnet.

Highlights from Panda Security's preliminary analysis include:

  • Once infected by the Mariposa bot client, the botmaster installed different malware (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc.) in order to gain additional functionality into the zombie PCs.

  • The botmaster made money by selling parts of the botnet, installing pay-per-install toolbars, selling stolen credentials for online services and using the stolen banking credentials and credit cards to make transactions to overseas mules.

  • The Mariposa botnet spread extremely effectively via P2P networks, USB drives, and MSN links.

An interesting note -- In an apparent act of retaliation, a Distributed Denial of Service (DDoS) attack was initiated against Defence Intelligence shortly after the botnet was shut down in December. The attack was powerful enough to impact one large Internet Service Provider, many of whose customers were knocked offline for several hours.

A short description of the Mariposa botnet software can be found at http://www.pandasecurity.com/homeusers/security-info/217587/ButterflyBot.A.