Threat Research Blog

Mariposa Still Alive

In March earlier this year, Spanish police arrested three men

linked to the Mariposa botnet. After this move it was widely believed that the

massive botnet had shutdown.  From what I have seen over the last week,

that is not the case.  Some Mariposa CnCs are still active and spreading.  The screen shot below is a snapshot

of a Mariposa sample (ad7a5b6755089ba83001f224a7067ec1)

communicating to its CnC.  On this occasion it received a command to spread

through USB.



0000   00 03 ff 22 7f 48 90 e6 ba b8 8f 7a 08 00 45

00  ...".H.....z..E.

0010   00 22 00 00 40 00 35 11 97 fd ae 8a 3c 46 c0

a8  ."..@.5.....<F..

0020   02 55 d1 97 04 06 00 0e 10 b2 01 0a 70 e2 f9 c7  .U..........p...

0030   00 00 00 00 00 00 00 00 00 00 00 00              ............

0x01 0x0a 0x70 0xe2 0xf90x c7:

0x01 is the protocol opcode

0x0a 0x70 is the sequence number and the key to decrypt the message.

0xe2 0xf9 0xc7 is the encrypted message which decrypts to “11 75 31” or

11 u 1

The “u1” commands enables USB spreading.

It seems that either Spanish police have

not been able to apprehend the entire Mariposa gang or the botnet CnC has some

sort of auto-pilot mode.  This might seem bit star-warish to some but it isn’t

really that hard to do.  A simple implementation could be to program the CnC to

periodically change the commands.  All this brings home a very important lesson

in shutting down major botnets.  Even if the bot masters are arrested, you still

have to shut down the CnC.  Unless that is done, the infrastructure is still there,

it still lives, and it can continue to spread and cause harm.

How could Mariposa be shut down:

Step 1: Take over all Mariposa CnC DNS records. 

Make them resolve to a server in your control. This would require the

corporation of Domain name registration corporations, who are mostly

cooperative when there is clear evidence of malicious activity.

Step 2: Now that the Mariposa botnets are

connecting to your own server you have effectively taken over command of

the botnet.  You can choose to do nothing at this point, since the infected PC

won’t do anything because their CnC is silent.  This would leave a lot of

Mariposa zombies around the world doing nothing.  If you want to go

a step further and remove these zombies continue to step 3

Step 3: You can remove these zombies by

making them download a removal tool of sorts but in the case of Mariposa, one can remove these zombies without

actually having the zombies download anything.  There is a command in the Mariposa

CnC protocol called “alinfiernoya” which is Spanish and translates to “to hell now”.  This

command effectively removes the bot on the infected PC.  Beware, there are all sorts of legal issues around messing with someone else's system, even if you're trying to help.

Who is currently operating this Botnet?  Has it been taken over by some rival gang?  Are the original bot masters pulling the strings while in police custody?  Or is it simply operating on auto-pilot?

Haroon W Malik @ FireEye Malware Intelligence



Question/Comments : research SHIFT-2 fireeye DOT COM