This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Is the Mariposa botnet still functioning three months after it was shut down and its owners were arrested?

Share this article:

Claims have been made that the Mariposa botnet is still alive and some control and commands centre (CnC) are still active and spreading.

According to Haroon Malik at the FireEye malware intelligence lab, some Mariposa CnCs are still active and spreading. He pointed to a Mariposa sample communicating to its CnC which had received a command to spread through a USB.

He said: “It seems that either Spanish police have not been able to apprehend the entire Mariposa gang or the botnet CnC has some sort of auto-pilot mode. All this brings home a very important lesson in shutting down major botnets. Even if the bot masters are arrested, you still have to shut down the CnC. Unless that is done, the infrastructure is still there, it still lives, and it can continue to spread and cause harm.”

He asked who is currently operating this botnet, if it is still alive, and has it been taken over by some rival gang? Or are the original bot masters pulling the strings while in police custody? Or is it simply operating on auto-pilot?

One commenter on his blog claimed that Mariposa was named for one particular botnet that used the Butterfly bot malware. He said: “What you have here is Butterfly malware botnet for sure. It is not Mariposa though. We suspect the un-named botnet you are blogging about could be bigger than Mariposa ever was.”

While another commenter believed that Mariposa was sold, that ‘Iserdo' coded it and sold a builder so everyone can make a similar botnet. “There are dozens in the wild. He´s still active and sells a new botnet called butterfly flooder,” they said.

Commenting, PandaLabs' technical director Luis Corrons, who recently described his meeting with the botnet owners to SC Magazine, said that he did not have a particular sample in his hands, but commented on the Butterfly bot malware rumours.

He said: “I can tell you that the specific command that is mentioned there (alinfiernoya) was used in old versions of the butterfly bot used by the gang, but not in the current ones they were using when they were arrested.

“So in case the bot mentioned in that blog post is accepting that order, that would mean that it is not the Mariposa botnet, but a completely different one based on the same bot family as the one that was found in some Vodafone phones.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.

Hackers smuggle out stolen data disguised as videos

Hackers smuggle out stolen data disguised as videos

Around a dozen organisations, including at least one financial sector company, have been hit by a new form of hacking where attackers hide stolen corporate data inside video files that ...