This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Is the Mariposa botnet still functioning three months after it was shut down and its owners were arrested?

Share this article:

Claims have been made that the Mariposa botnet is still alive and some control and commands centre (CnC) are still active and spreading.

According to Haroon Malik at the FireEye malware intelligence lab, some Mariposa CnCs are still active and spreading. He pointed to a Mariposa sample communicating to its CnC which had received a command to spread through a USB.

He said: “It seems that either Spanish police have not been able to apprehend the entire Mariposa gang or the botnet CnC has some sort of auto-pilot mode. All this brings home a very important lesson in shutting down major botnets. Even if the bot masters are arrested, you still have to shut down the CnC. Unless that is done, the infrastructure is still there, it still lives, and it can continue to spread and cause harm.”

He asked who is currently operating this botnet, if it is still alive, and has it been taken over by some rival gang? Or are the original bot masters pulling the strings while in police custody? Or is it simply operating on auto-pilot?

One commenter on his blog claimed that Mariposa was named for one particular botnet that used the Butterfly bot malware. He said: “What you have here is Butterfly malware botnet for sure. It is not Mariposa though. We suspect the un-named botnet you are blogging about could be bigger than Mariposa ever was.”

While another commenter believed that Mariposa was sold, that ‘Iserdo' coded it and sold a builder so everyone can make a similar botnet. “There are dozens in the wild. He´s still active and sells a new botnet called butterfly flooder,” they said.

Commenting, PandaLabs' technical director Luis Corrons, who recently described his meeting with the botnet owners to SC Magazine, said that he did not have a particular sample in his hands, but commented on the Butterfly bot malware rumours.

He said: “I can tell you that the specific command that is mentioned there (alinfiernoya) was used in old versions of the butterfly bot used by the gang, but not in the current ones they were using when they were arrested.

“So in case the bot mentioned in that blog post is accepting that order, that would mean that it is not the Mariposa botnet, but a completely different one based on the same bot family as the one that was found in some Vodafone phones.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.