Mariposa-inspired Butterfly botnet reported as having infected computers globally

News by Dan Raywood

A botnet that has infected individuals and corporations in at least 172 countries called the Butterfly Bot Kit has been named as is 'larger than Mariposa'.

A botnet that has infected individuals and corporations in at least 172 countries called the Butterfly bot kit has been named as is ‘larger than Mariposa'.

Botnet monitoring firm Unveillance said that Butterfly bot kit, also known as Palevo, Pilleuz or Rimecud, is the same software that was used to infect millions of computers in the Mariposa botnet and although a few of the domains used to control the botnet have been suspended, several domains remain live and are actively harvesting information stolen from victims with infected computers.

Unveillance researchers Matt Thompson and Meaghan Molloy, along with Mariposa Working Group partner Panda Security, have collected and analysed several thousand unique variants of malicious software associated with Butterfly bot.

The research found that Butterfly is polymorphic malware that spreads via removable drives such as USB keys and those infected often find themselves in a perpetual cycle of reinfection.

Talking to SC Magazine about the framework of Butterfly, Luis Corrons, technical director of PandaLabs, said that it allows any botmaster to run a Butterfly-type botnet and many have been created to infect computers globally.

Corrons, who was heavily involved with the takedown of Mariposa and met with the controllers, said that it was a distinctive botnet as it was heavily customised by the creator for the Spanish botmasters.

“The key here is that during the Mariposa case, we discovered the licensing mechanism inside the Butterfly framework license control mechanism within the Butterfly bot client that is tied to the command and control server addresses. These licenses are in the form of botmaster nicknames, which are then again tied to the sales made to all botmasters who purchased a Butterfly botnet,” he said.

In early June, news reports from eastern European said that a law enforcement task force, including the FBI, Interpol, the Serbian Ministry of Internal Affairs and the Slovenian Police, resulted in the arrest of two men charged with stealing several hundred thousand dollars while running a botnet.

Corrons said: “Since the Butterfly framework creator was arrested and his computers confiscated, it is safe to assume that law enforcement has a very good insight into who is running any Butterfly-based botnet out there.

“What is strange is that given the above information being public since the Mariposa arrests last year in Spain and Slovenia, botmasters are still depending on Butterfly framework to run their botnets. Obviously those botmasters are either not concerned about going to jail or just plain stupid.”

Corrons pointed at the cost options of the kits, with a basic option (containing external downloader, USB and MSN spreaders) costing €350, while the ultimate option costs €1,100.

Paul Wood, MessageLabs Intelligence senior analyst at Symantec Hosted Services, told SC Magazine that after investigation, he believes Mariposa, Butterfly and Pilleuz to be of the same ilk, but there was no increase of incidents around this in recent days or weeks.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews