Mariposa Botnet

www.pandasecurity.com

Lessons Learned from Mariposa: Avoiding Disaster, Protecting from Cybercrime

Sean-Paul CorrellThreat Researcher

Panda Security, USA

www.pandasecurity.com2

May 2009


October 2009


Mariposa Working Group

Defence IntelligencePanda SecurityGeorgia Tech Information Security CenterNeustarResearchers who wish to remain anonymous

In collaboration with:

FBISpanish Civil Guard


Some of the DNS domain names observed as C&C servers:

lalundelau.sinip.es

bf2back.sinip.es

thejacksonfive.mobi

butterfly.BigMoney.biz

bfisback.sinip.es

qwertasdfg.sinip.es


Early estimates

??????????

Command & Control

SPAIN

USA

100,000 – 200,000 Victims

PANAMA

UDP COMMUNICATION


??????????

Command & Control

SPAIN

USA

PANAMA

100,000 – 200,000 Victims SINKHOLE


TimelineDecember 21st 2009

Spanish LE visit to CDMON (Spanish ISP)

December 23rd 2009

All C&C domains pointed to sinkhole:

Cdmon, ChangeIP, Directi, GetmyIP, DynDNS

December 24th 2009

New binary (2/24 @ VirusTotal) dropped.


Staying undetected…

The botnet operators used Swedish VPN providers in order to avoid physical detection.

The sinkhole caused the main botnet operator to panic and connect to the infrastructure using his home DSL connection.


Panic at the disco!

C&C sinkhole panic allowed us to trace the botnet operators Internet connection back to Spain.

Spanish LE visits ISP to retrieve DSL customer information

Time to make some arrests!


MWG: Let’s move on the arrest!Spain LE: Not so fast!

Law enforcement roadblocks:

Owning a botnet is not illegal in Spain

Spanish law protects criminals

Forensic skills are not up to par


Timeline

January 22nd 2010

Bot master bribed CDMON tech support to recover booster.estr.es for €500.

January 25th 2010

Bot master launches DDOS against Defence Intelligence sustained 900MB/s traffic

February 3rd 2010

Bot master arrested at home by Spanish Civil Guard


What did we uncover after the arrest?


Stolen Credentials

• Personal information from over 1,000,000 victims

Credit Cards

Social Security numbers

Bank Accounts

Intranet credentials

Data from universities, banks, + half of Fortune 1000 companies

What did we uncover after the arrest?



Anti-detection/debugging tools…


Anti-detection/debugging tools


Licensing control systemButterfly Bot Version

Licensing control UID


Builder packed with Themida


Timeline after initial arrest

February 10th 2010Butterfly.bigmoney.biz recovered by Mariposa.

Moved C&C servers to Israeli & Chinese domain registrars.

February 24th 2010Ostiator & JonnyLoleante arrested

March 3rd 2010Mariposa Final Takedown


Infections in 189 different countries


Top 10 infected countries


Infection statistics

31,901 infected towns and cities


Infection statistics

Over half of Fortune 1000’s infected

Over 40 banks infected


Why was Mariposa so successful?


Strong AV signature evasion + Botnet Infrastructure

+ =


Peer to Peer (P2P)


P2P – Strengths and WeaknessesLow chance of infecting corporate networks (perimeter blocking)

High chance of infecting home networks (piracy)

APAC region had a high concentration of infections. High risk due to rampant piracy.

65% of software is pirated in India according to Business Software Alliance Study: http://bit.ly/bLlN06

http://bit.ly/bLlN06


USB Distribution


USB – Strengths and WeaknessesHigh chance of infection in corporate networks

USB enabled by default in most organizations

Working from home introduces threats into the workplace.

High chance of infection in home networks

We use USB devices every day

Knowledge of USB threat vector low


MSN Messenger


MSN Messenger


MSN Messenger – Strengths and Weaknesses

Moderate chance of infection in corporate networks

Sometimes used for interoffice communication

31% of businesses use instant messaging according to Nielson


40% of home users use instant messaging according to Nielson

MSN usage ranks high in most affected countries

Unique social engineering capability


Exploit Kits


Exploit kits– Strengths and Weaknesses

Moderate chance of infection in corporate networks

Operating system updates are most likely enforced via policy

Non system software updates are most likely not enforced via policy

Antivirus software installed by default


Operating system updates not always installed.

Non system software updates are almost never installed (unless forced)

Antivirus software may not be installed


Mariposa Botnet Control Software


Command and Control Software








Who are these guys?


Members Arrested

Netkairo, 31, Spain

Ostiator, 25, Spain

jonnyloleante, 30, Spain

DDP Team:

Dias De Pesadilla Team – Nightmare Days Team


What were their roles?



Butterfly Bot Packages


Butterfly Module Prices


How much money were they earning?

10,000€ / month (around each 3,000)

AdsPay per clickRenting portions of the botnetPost data grabber (stealing credentials)





Monday, March 22nd




Commenting on the blog





Iuis_corrons following Luis_Corrons


D’oh!


What are we dealing with here?CYBE

R KINGPINS

?

CYBER

IDIOTS


The Slovenian Connection




Collateral Damage?

Dejan Janzekovic


Lessons Learned

Just shutting down botnet C&C’s does not stop the bad guys.

Arresting the bad guys doesn’t stop them either

Signature based Antivirus detection isn’t good enough. Signatures can take weeks to develop.

Cyber legislation needs significant improvements to adapt to the current threat landscape situation

Communication with law enforcement is often one-way and difficult, but results are better than simple shutdowns.

www.pandasecurity.com

Thank you!Sean-Paul Correll

Threat ResearcherPanda Security, USA

Twitter: http://twitter.com/lithium E-mail: [email protected]

http://twitter.com/lithium

mailto:[email protected]

Documents

Mariposa Botnet