Mariposa Botnet

www.pandasecurity.com
Lessons Learned from Mariposa:
Avoiding Disaster, Protecting from
Cybercrime
Sean-Paul Correll
Threat Researcher
Panda Security, USA

May 2009
2

October 2009
3

Mariposa Working Group
Defence Intelligence
Panda Security
Georgia Tech Information Security Center
Neustar
Researchers who wish to remain anonymous
In collaboration with:
FBI
Spanish Civil Guard
4

Some of the DNS domain names
observed as C&C servers:
lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi
butterfly.BigMoney.biz
bfisback.sinip.es
qwertasdfg.sinip.es
5

Early estimates
6
??????????
Command & Control
SPAIN
USA
100,000 – 200,000 Victims
PANAMA

www.pandasecurity.com7
??????????
Command & Control
SPAIN
USA
PANAMA
100,000 – 200,000 Victims SINKHOLE

Timeline
December 21st 2009
Spanish LE visit to CDMON (Spanish ISP)
December 23rd 2009
All C&C domains pointed to sinkhole:
Cdmon, ChangeIP, Directi, GetmyIP, DynDNS
December 24th 2009
New binary (2/24 @ VirusTotal) dropped.
8

Staying undetected…
9
The botnet operators used
Swedish VPN providers in order
to avoid physical detection.
The sinkhole caused the main
botnet operator to panic and
connect to the infrastructure
using his home DSL connection.

Panic at the disco!
C&C sinkhole panic allowed us to trace the
botnet operators Internet connection back to
Spain.
Spanish LE visits ISP to retrieve DSL customer
information
Time to make some arrests!
10

MWG: Let’s move on the arrest!
Spain LE: Not so fast!
Law enforcement roadblocks:
Owning a botnet is not illegal in Spain
Spanish law protects criminals
Forensic skills are not up to par
11

Timeline
January 22nd 2010
Bot master bribed CDMON tech support to
recover booster.estr.es for €500.
January 25th 2010
Bot master launches DDOS against Defence Intelligence
sustained 900MB/s traffic
February 3rd 2010
Bot master arrested at home by Spanish Civil Guard
12

What did we uncover after the arrest?
13

Stolen Credentials
• Personal information from over 1,000,000 victims
Credit Cards
Social Security numbers
Bank Accounts
Intranet credentials
Data from universities, banks, + half of Fortune 1000 companies
14
What did we uncover after the arrest?

Anti-detection/debugging tools…
16

Anti-detection/debugging tools
17

Licensing control system
18
Butterfly Bot Version
Licensing control UID

Builder packed with Themida
19

Timeline after initial arrest
February 10th 2010
Butterfly.bigmoney.biz recovered by Mariposa.
Moved C&C servers to Israeli & Chinese domain
registrars.
February 24th 2010
Ostiator & JonnyLoleante arrested
March 3rd 2010
Mariposa Final Takedown
20

Infections in 189 different countries

Top 10 infected countries
22

Infection statistics
31,901 infected towns and cities
23

Infection statistics
24
Over half of Fortune
1000’s infected
Over 40 banks infected

Why was Mariposa so successful?
25

Strong AV signature evasion + Botnet Infrastructure
26
+ =

Peer to Peer (P2P)
27

P2P – Strengths and Weaknesses
28
Low chance of infecting corporate
networks (perimeter blocking)
High chance of infecting home networks
(piracy)
APAC region had a high concentration of
infections. High risk due to rampant piracy.
65% of software is pirated in India according to
Business Software Alliance Study:
http://bit.ly/bLlN06

USB Distribution
29

USB – Strengths and Weaknesses
30
High chance of infection in corporate networks
USB enabled by default in most
organizations
Working from home introduces threats into
the workplace.
High chance of infection in home networks
We use USB devices every day
Knowledge of USB threat vector low

MSN Messenger
31

MSN Messenger
32

MSN Messenger – Strengths and Weaknesses
33
Moderate chance of infection in corporate networks
Sometimes used for interoffice communication
31% of businesses use instant messaging according to Nielson
40% of home users use instant messaging according to Nielson
MSN usage ranks high in most affected countries
Unique social engineering capability

Exploit Kits
34

Exploit kits– Strengths and Weaknesses
35
Moderate chance of infection in corporate networks
Operating system updates are most likely enforced via policy
Non system software updates are most likely not enforced via policy
Antivirus software installed by default
Operating system updates not always installed.
Non system software updates are almost never installed (unless forced)
Antivirus software may not be installed

Mariposa Botnet Control Software
36

Command and Control Software
37

Who are these guys?
44

Members Arrested
Netkairo, 31, Spain
Ostiator, 25, Spain
jonnyloleante, 30, Spain
45
DDP Team:
Dias De Pesadilla Team – Nightmare Days Team

What were their roles?
46

Butterfly Bot Packages
48

Butterfly Module Prices
49

How much money were they earning?
10,000€ / month (around each 3,000)
Ads
Pay per click
Renting portions of the botnet
Post data grabber (stealing credentials)
50

Monday, March 22nd
54

Commenting on the blog
57

Iuis_corrons following Luis_Corrons

D’oh!
62

What are we dealing with here?
63

The Slovenian Connection
64

Collateral Damage?
67
Dejan Janzekovic

Lessons Learned
Just shutting down botnet C&C’s does not stop the bad guys.
Arresting the bad guys doesn’t stop them either 
Signature based Antivirus detection isn’t good enough. Signatures
can take weeks to develop.
Cyber legislation needs significant improvements to adapt to the
current threat landscape situation
Communication with law enforcement is often one-way and
difficult, but results are better than simple shutdowns.
68

Thank you!
Sean-Paul Correll
Threat Researcher
Panda Security, USA
Twitter: http://twitter.com/lithium
E-mail: lithium@us.pandasecurity.com

Mariposa Botnet

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (13)

Semelhante a Mariposa Botnet

Semelhante a Mariposa Botnet (20)

Mariposa Botnet