This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Is the Mariposa botnet still functioning three months after it was shut down and its owners were arrested?

Share this article:

Claims have been made that the Mariposa botnet is still alive and some control and commands centre (CnC) are still active and spreading.

According to Haroon Malik at the FireEye malware intelligence lab, some Mariposa CnCs are still active and spreading. He pointed to a Mariposa sample communicating to its CnC which had received a command to spread through a USB.

He said: “It seems that either Spanish police have not been able to apprehend the entire Mariposa gang or the botnet CnC has some sort of auto-pilot mode. All this brings home a very important lesson in shutting down major botnets. Even if the bot masters are arrested, you still have to shut down the CnC. Unless that is done, the infrastructure is still there, it still lives, and it can continue to spread and cause harm.”

He asked who is currently operating this botnet, if it is still alive, and has it been taken over by some rival gang? Or are the original bot masters pulling the strings while in police custody? Or is it simply operating on auto-pilot?

One commenter on his blog claimed that Mariposa was named for one particular botnet that used the Butterfly bot malware. He said: “What you have here is Butterfly malware botnet for sure. It is not Mariposa though. We suspect the un-named botnet you are blogging about could be bigger than Mariposa ever was.”

While another commenter believed that Mariposa was sold, that ‘Iserdo' coded it and sold a builder so everyone can make a similar botnet. “There are dozens in the wild. He´s still active and sells a new botnet called butterfly flooder,” they said.

Commenting, PandaLabs' technical director Luis Corrons, who recently described his meeting with the botnet owners to SC Magazine, said that he did not have a particular sample in his hands, but commented on the Butterfly bot malware rumours.

He said: “I can tell you that the specific command that is mentioned there (alinfiernoya) was used in old versions of the butterfly bot used by the gang, but not in the current ones they were using when they were arrested.

“So in case the bot mentioned in that blog post is accepting that order, that would mean that it is not the Mariposa botnet, but a completely different one based on the same bot family as the one that was found in some Vodafone phones.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Targeted spear phishing campaign targets governments, law enforcement

Targeted spear phishing campaign targets governments, law enforcement

Kaspersky Lab claims to have identified a highly targeted spear phishing campaign that picks on high profile victims - including government, military, law enforcement agencies and embassies.

Malaysian investigators 'hacked' for confidential MH370 records

Malaysian investigators 'hacked' for confidential MH370 records

Around 30 computers at Malaysian law enforcement agencies looking into the disappearance of the MH370 airplane have reportedly been hacked, with perpetrators making off with confidential data on the aircraft.

75,000 reasons not to jailbreak your iPhone or iPad

75,000 reasons not to jailbreak your iPhone or ...

Malicious AdThief malware replaces adverts appearing on Apple users screens