Mariposa botnet explained

The Mariposa botnet, discovered December 2008,[1] is a botnet mainly involved in cyberscamming and denial-of-service attacks.[2] [3] Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.[3] [4] [5]

History

Origins and initial spread

The botnet was originally created by the DDP Team (Spanish: Días de Pesadilla Team, English: Nightmare Days Team), using a malware program called "Butterfly bot", which was also sold to various individuals and organisations.[2] [6] The goal of this malware program was to install itself on an uninfected PC, monitoring activity for passwords, bank credentials and credit cards.[2] After that the malware would attempt to self-propagate to other connectible systems using various supported methods, such as MSN, P2P and USB.[7]

After completing its initial infection routine the malware would contact a command-and-control server within the botnet. This command and control server could be used by the controllers of the botnet, in order to issue orders to the botnet itself.[8]

Operations and impact

The operations executed by the botnet were diverse, in part because parts of the botnet could be rented by third party individuals and organizations.[9] Confirmed activities include denial-of-service attacks, e-mail spam, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads.[8] [10]

Due to the size and nature of a botnet its total financial and social impact is difficult to calculate, but initial estimates calculated that the removal of the malware alone could cost "tens of millions of dollars".[8] [11] After the apprehension of the botnet's operators government officials also discovered a list containing personal details on 800,000 individuals, which could be used or sold for Identity theft purposes.[11]

The countries most infected by the botnet were India, Mexico, Brazil and South Korea.[12]

Dismantling

In May 2009 the Mariposa Working Group (MWG) was formed as an informal group, composed of Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with additional unnamed security researchers and law enforcement agencies. The goal of this group was the analysis and extermination of the Mariposa botnet itself.[8]

On 23 December 2009 the Mariposa Working Group managed to take control of the Mariposa Botnet, after seizing control of the command-and-control servers used by the botnet. The operational owners of the botnet eventually succeeded in regaining control over the botnet, and in response launched a denial-of-service attack on Defence Intelligence.[8] The attack itself managed to knock out Internet connectivity for a large share of the ISP's customers, which included several Canadian universities and government agencies.[13]

On 3 February 2010, the Spanish national police arrested Florencio Carro Ruiz (alias: Netkairo) as the suspected leader of the DDP Team. Two additional arrests were made on 24 February 2010. Jonathan Pazos Rivera (alias: Jonyloleante) and Juan José Ríos Bellido (alias: Ostiator) were arrested on the suspicion of being members of DDP.[3] [8] [14] [15] [16]

On 18 July 2010, Matjaž Škorjanc (alias: Iserdo), the creator of the "Butterfly bot" malware, was arrested in Maribor by Slovenian police for the first time,[17] but released due to lack of evidence. He was arrested again in October 2011.[18] In December 2013 Škorjanc was convicted in Slovenia of "creating a malicious computer program for hacking information systems, assisting in wrongdoings and money laundering."[19] He was sentenced to 4 years and 10 months imprisonment and fined 3,000 ($3,000).[20] The court also ordered the seizure of Škorjanc's property acquired with the proceeds of crime.[21] After he appealed the verdict his fine was in February 2015 raised for additional 25,000 EUR.[22]

On 5 June, 2019, US law enforcement opened a new case in the operations of the Mariposa (Butterfly Bot, BFBOT) malware gang. FBI has moved forward with new charges and arrest warrants against four suspects including NiceHash's operator Matjaž Škorjanc.[23]

External links

Notes and References

  1. News: FBI arrests 'mastermind' of Mariposa botnet computer code. The Daily Telegraph. 28 July 2010. 29 July 2010. London. 8 October 2021. https://web.archive.org/web/20211008202947/https://www.telegraph.co.uk/technology/7913767/FBI-arrests-mastermind-of-Mariposa-botnet-computer-code.html. live.
  2. Web site: Ali . Zerdin . Cyber mastermind arrested, questioned in Slovenia . . Washington, D.C. . 28 July 2010 . 29 July 2010 . 20 February 2011 . https://web.archive.org/web/20110220065704/http://www.washingtontimes.com/news/2010/jul/28/cyber-mastermind-arrested-questioned-in-slovenia/ . live .
  3. Web site: Suspected 'Mariposa Botnet' creator arrested . . 28 July 2010 . 29 July 2010 . dead . https://web.archive.org/web/20110511115226/http://www2.canada.com/topics/technology/story.html?id=3333655 . May 11, 2011 .
  4. Web site: Matt . Thompson . Mariposa Botnet Analysis . . 7 October 2009 . 29 July 2010 . 9 July 2011 . https://web.archive.org/web/20110709010314/http://www.defintel.com/docs/Mariposa_Analysis.pdf . live .
  5. Web site: Brian . Krebs . Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm . 14 October 2014 . 19 October 2014 . https://web.archive.org/web/20141019012949/http://krebsonsecurity.com/2010/05/accused-mariposa-botnet-operators-sought-jobs-at-spanish-security-firm/ . live .
  6. Web site: FBI says cyber mastermind nabbed. The New Zealand Herald. 28 July 2010 . 29 July 2010.
  7. Web site: Peter. Coogan. The Mariposa/Butterfly Bot Kit. Symantec. 7 October 2009. 29 July 2010. 3 August 2010. https://web.archive.org/web/20100803162939/http://www.symantec.com/connect/blogs/mariposa-butterfly-bot-kit. live.
  8. Web site: Luis. Corrons. Mariposa botnet. Panda Security. 3 March 2010. 29 July 2010. 1 August 2010. https://web.archive.org/web/20100801091639/http://pandalabs.pandasecurity.com/mariposa-botnet/. live.
  9. Web site: Help Net Security . Massive Mariposa botnet shut down . 3 March 2010 . 29 July 2010 . 10 May 2010 . https://web.archive.org/web/20100510114618/http://net-security.org/secworld.php?id=8962 . live .
  10. Web site: 'Mariposa' Botnet Authors May Avoid Jail Time . Krebs on Security . 4 March 2010 . 29 July 2010 . Brian . Krebs . 31 July 2010 . https://web.archive.org/web/20100731150329/http://krebsonsecurity.com/2010/03/mariposa-botnet-authors-may-avoid-jail-time/ . live .
  11. News: Spain busts ring accused of infecting 13 mln PCs . Reuters . 2010-03-02 . 2010-07-29 . 2021-10-08 . https://web.archive.org/web/20211008202946/https://www.reuters.com/article/idUSN0218881320100302 . live .
  12. Web site: 13m users worldwide affected by Mariposa botnet . Help Net Security . 10 March 2010 . 2 September 2022 . 2 September 2022 . https://web.archive.org/web/20220902182927/https://www.helpnetsecurity.com/2010/03/10/13m-users-worldwide-affected-by-mariposa-botnet/ . live .
  13. News: Larraz . Teresa . UPDATE 1-Spain busts ring accused of infecting 13 mln PCs . . 3 March 2010 . 29 July 2010 . 4 June 2010 . https://web.archive.org/web/20100604234534/http://www.reuters.com/article/idUSTRE6214ST20100303 . live .
  14. Web site: Steve . Ragan . Mariposa botnet – 12.7 million bots strong – knocked offline . The Tech Herald . 3 March 2010 . 29 July 2010 . dead . https://web.archive.org/web/20100725032024/http://www.thetechherald.com/article.php/201009/5330/Mariposa-botnet-12-7-million-bots-strong-knocked-offline . 25 July 2010 .
  15. Web site: Cyber mastermind arrested, questioned in Slovenia. . 29 July 2010.
  16. Web site: FBI, Slovenian and Spanish Police Arrest Mariposa Botnet Creator, Operators. Washington, D.C.. 28 July 2010. FBI National Press Office. 27 December 2013. 27 December 2013. https://web.archive.org/web/20131227210427/http://www.fbi.gov/news/pressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-mariposa-botnet-creator-operators. live.
  17. News: FBI potrdil aretacijo štajerskega hekerja; ta že na prostosti . sl . FBI Confirms the Arrest of the Styrian Hacker; He Is Already at Large . 28 July 2010 . 2 March 2015 . 2 April 2015 . https://web.archive.org/web/20150402093525/http://www.rtvslo.si/crna-kronika/fbi-potrdil-aretacijo-stajerskega-hekerja-ta-ze-na-prostosti/235675 . live .
  18. News: Afera Mariposa: Škorjanc se ni želel zagovarjati . Delo.si . sl . 6 August 2012 . Mariposa Affair: Škorjanc Refuses to Defend Himself . 2 March 2015 . 2 April 2015 . https://web.archive.org/web/20150402104435/http://www.delo.si/novice/kronika/afera-mariposa-skorjanc-se-ni-zelel-zagovarjati.html . live .
  19. News: Creator of Mariposa Botnet Sentenced to 58 Months in Prison. 23 December 2013. Security Week. 27 December 2013. 27 December 2013. https://web.archive.org/web/20131227074235/http://www.securityweek.com/creator-mariposa-botnet-sentenced-58-months-prison. live.
  20. News: Hacker sentenced for 'malicious' programme. IOL. 24 December 2013. 27 December 2013. 27 December 2013. https://web.archive.org/web/20131227203449/http://www.iol.co.za/scitech/technology/security/hacker-sentenced-for-malicious-programme-1.1626367. live.
  21. News: Mariposa botnet 'mastermind' jailed in Slovenia. 24 December 2013. BBC News. 27 December 2013. 27 December 2013. https://web.archive.org/web/20131227004804/http://www.bbc.co.uk/news/technology-25506016. live.
  22. News: Mariposa Botnet Hacker Fails with Appeal at Higher Court. 5 February 2015. https://archive.today/20150308094953/http://www.sta.si/vest.php?id=2100646. 2015-03-08. dead. Slovenian Press Agency.
  23. News: Eight years later, the case against the Mariposa malware gang moves forward in the US. 2019-06-11. ZDNet. 2019-06-11. en-US. 2021-10-08. https://web.archive.org/web/20211008202946/https://www.zdnet.com/article/eight-years-later-the-case-against-the-mariposa-malware-gang-moves-forward-in-the-us/. live.