Claims have been made that the Mariposa botnet is still alive and some control and commands centre (CnC) are still active and spreading.
According to Haroon Malik at the FireEye malware intelligence lab, some Mariposa CnCs are still active and spreading. He pointed to a Mariposa sample communicating to its CnC which had received a command to spread through a USB.
He said: “It seems that either Spanish police have not been able to apprehend the entire Mariposa gang or the botnet CnC has some sort of auto-pilot mode. All this brings home a very important lesson in shutting down major botnets. Even if the bot masters are arrested, you still have to shut down the CnC. Unless that is done, the infrastructure is still there, it still lives, and it can continue to spread and cause harm.”
He asked who is currently operating this botnet, if it is still alive, and has it been taken over by some rival gang? Or are the original bot masters pulling the strings while in police custody? Or is it simply operating on auto-pilot?
One commenter on his blog claimed that Mariposa was named for one particular botnet that used the Butterfly bot malware. He said: “What you have here is Butterfly malware botnet for sure. It is not Mariposa though. We suspect the un-named botnet you are blogging about could be bigger than Mariposa ever was.”
While another commenter believed that Mariposa was sold, that ‘Iserdo' coded it and sold a builder so everyone can make a similar botnet. “There are dozens in the wild. He´s still active and sells a new botnet called butterfly flooder,” they said.
Commenting, PandaLabs' technical director Luis Corrons, who recently described his meeting with the botnet owners to SC Magazine, said that he did not have a particular sample in his hands, but commented on the Butterfly bot malware rumours.
He said: “I can tell you that the specific command that is mentioned there (alinfiernoya) was used in old versions of the butterfly bot used by the gang, but not in the current ones they were using when they were arrested.
“So in case the bot mentioned in that blog post is accepting that order, that would mean that it is not the Mariposa botnet, but a completely different one based on the same bot family as the one that was found in some Vodafone phones.”