New botnet alert – Mariposa (Oct 6, 2009)


SonicWALL UTM Research team observed reports of the Mariposa botnet, which has infiltrated half of the Fortune 100 companies, according to Defence Intelligence. It has been speculated that this botnet was created from the Butterfly Bot Kit and it now consists of 200,000 infected hosts, infecting 7,000 more hosts daily. More details can be found on their blog.

Mariposa really is a collection of different malware threats, detected by different names. For instance, F-Secure detects them as either Palevo or Vaklik.

Symantec has added detection for it as W32.Pilleuz.

When executed this threat has the following characteristics:

  • Spreads through removal drives, MSN instant messenger
  • Spreads through peer-to-peer file sharing by copying itself to shared folders for the following programs:
    • Ares
    • BearShare
    • DC++
    • eMule
    • iMesh
    • Kazaa
    • LimeWire
    • Shareaza
  • Gives the attacker control over compromised system
  • Communicates with the following back-end servers:

SonicWALL Gateway AntiVirus provides protection against this botnet via various GAV signatures including: Small.DKC (Trojan), Agent.PT_7 (Trojan), CodecPack.HZE (Trojan), FakeRean (Trojan), Conficker.gen (Worm), Agent.IRB (Trojan), Malagent_2 (Trojan), Rimecud.B (Worm).

SonicWALL UTM Research team is monitoring the situation and update the signatures as necessary to provide complete protection against this and other threats.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.