Mariposa botnet

Last updated

The Mariposa botnet, discovered December 2008, [1] is a botnet mainly involved in cyberscamming and denial-of-service attacks. [2] [3] Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets. [3] [4] [5]

Contents

History

Origins and initial spread

The botnet was originally created by the DDP Team (Spanish: Días de Pesadilla Team, English: Nightmare Days Team), using a malware program called "Butterfly bot", which was also sold to various individuals and organisations. [2] [6] The goal of this malware program was to install itself on an uninfected PC, monitoring activity for passwords, bank credentials and credit cards. [2] After that the malware would attempt to self-propagate to other connectible systems using various supported methods, such as MSN, P2P and USB. [7]

After completing its initial infection routine the malware would contact a command-and-control server within the botnet. This command and control server could be used by the controllers of the botnet, in order to issue orders to the botnet itself. [8]

Operations and impact

The operations executed by the botnet were diverse, in part because parts of the botnet could be rented by third party individuals and organizations. [9] Confirmed activities include denial-of-service attacks, e-mail spam, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads. [8] [10]

Due to the size and nature of a botnet its total financial and social impact is difficult to calculate, but initial estimates calculated that the removal of the malware alone could cost "tens of millions of dollars". [8] [11] After the apprehension of the botnet's operators government officials also discovered a list containing personal details on 800,000 individuals, which could be used or sold for Identity theft purposes. [11]

The countries most infected by the botnet were India, Mexico, Brazil and South Korea. [12]

Dismantling

In May 2009 the Mariposa Working Group (MWG) was formed as an informal group, composed of Defence Intelligence, the Georgia Tech Information Security Center and Panda Security, along with additional unnamed security researchers and law enforcement agencies. The goal of this group was the analysis and extermination of the Mariposa botnet itself. [8]

On 23 December 2009 the Mariposa Working Group managed to take control of the Mariposa Botnet, after seizing control of the command-and-control servers used by the botnet. The operational owners of the botnet eventually succeeded in regaining control over the botnet, and in response launched a denial-of-service attack on Defence Intelligence. [8] The attack itself managed to knock out Internet connectivity for a large share of the ISP's customers, which included several Canadian universities and government agencies. [13]

On 3 February 2010, the Spanish national police arrested Florencio Carro Ruiz (alias: Netkairo) as the suspected leader of the DDP Team. Two additional arrests were made on 24 February 2010. Jonathan Pazos Rivera (alias: Jonyloleante) and Juan José Ríos Bellido (alias: Ostiator) were arrested on the suspicion of being members of DDP. [3] [8] [14] [15] [16]

On 18 July 2010, Matjaž Škorjanc (alias: Iserdo), the creator of the "Butterfly bot" malware, was arrested in Maribor by Slovenian police for the first time, [17] but released due to lack of evidence. He was arrested again in October 2011. [18] In December 2013 Škorjanc was convicted in Slovenia of "creating a malicious computer program for hacking information systems, assisting in wrongdoings and money laundering." [19] He was sentenced to 4 years and 10 months imprisonment and fined 3,000 ($3,000). [20] The court also ordered the seizure of Škorjanc's property acquired with the proceeds of crime. [21] After he appealed the verdict his fine was in February 2015 raised for additional 25,000 EUR. [22]

On 5 June, 2019, US law enforcement opened a new case in the operations of the Mariposa (Butterfly Bot, BFBOT) malware gang. FBI has moved forward with new charges and arrest warrants against four suspects including NiceHash's operator Matjaž Škorjanc. [23]

Related Research Articles

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Operation: Bot Roast is an operation by the FBI to track down bot herders, crackers, or virus coders who install malicious software on computers through the Internet without the owners' knowledge, which turns the computer into a zombie computer that then sends out spam to other computers from the compromised computer, making a botnet or network of bot infected computers. The operation was launched because the vast scale of botnet resources poses a threat to national security.

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

Defence Intelligence, often referred to as Defintel, is an information security company based in Ottawa, Ontario, Canada. The company characterizes itself as offering services for "advanced compromise protection." Their marketing materials describe their services as being for the detection and prevention of compromised systems on a network, and include their Nemesis Compromise Protection (Nemesis) and Harbinger Compromise Assessment (Harbinger) services.

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

<span class="mw-page-title-main">Dark0de</span>

dark0de, also known as Darkode, is a cybercrime forum and black marketplace described by Europol as "the most prolific English-speaking cybercriminal forum to date". The site, which was launched in 2007, serves as a venue for the sale and trade of hacking services, botnets, malware, stolen personally identifiable information, credit card information, hacked server credentials, and other illicit goods and services.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

NiceHash is a cryptocurrency broker and exchange with an open marketplace for buyers and sellers of hashing power. The company provides software for cryptocurrency mining. The company was founded in 2014 by two Slovenian university students, Marko Kobal and Matjaž Škorjanc. The company is based in The British Virgin Islands and has offices in Maribor, Slovenia.

Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine. It was the second main iteration of the Zeus malware and racketeering enterprise, succeeding Zeus and preceding Gameover Zeus.

References

  1. "FBI arrests 'mastermind' of Mariposa botnet computer code". The Daily Telegraph . London. 28 July 2010. Archived from the original on 8 October 2021. Retrieved 29 July 2010.
  2. 1 2 3 Zerdin, Ali (28 July 2010). "Cyber mastermind arrested, questioned in Slovenia". The Washington Times . Washington, D.C. Archived from the original on 20 February 2011. Retrieved 29 July 2010.
  3. 1 2 3 "Suspected 'Mariposa Botnet' creator arrested". canada.com . 28 July 2010. Archived from the original on May 11, 2011. Retrieved 29 July 2010.
  4. Thompson, Matt (7 October 2009). "Mariposa Botnet Analysis" (PDF). Defintel . Archived (PDF) from the original on 9 July 2011. Retrieved 29 July 2010.
  5. Krebs, Brian. "Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm". Archived from the original on 19 October 2014. Retrieved 14 October 2014.
  6. "FBI says cyber mastermind nabbed". The New Zealand Herald . 28 July 2010. Retrieved 29 July 2010.[ dead link ]
  7. Coogan, Peter (7 October 2009). "The Mariposa/Butterfly Bot Kit". Symantec . Archived from the original on 3 August 2010. Retrieved 29 July 2010.
  8. 1 2 3 4 5 6 Corrons, Luis (3 March 2010). "Mariposa botnet". Panda Security . Archived from the original on 1 August 2010. Retrieved 29 July 2010.
  9. "Massive Mariposa botnet shut down". Help Net Security. 3 March 2010. Archived from the original on 10 May 2010. Retrieved 29 July 2010.
  10. Krebs, Brian (4 March 2010). "'Mariposa' Botnet Authors May Avoid Jail Time". Krebs on Security. Archived from the original on 31 July 2010. Retrieved 29 July 2010.
  11. 1 2 "Spain busts ring accused of infecting 13 mln PCs". Reuters. 2010-03-02. Archived from the original on 2021-10-08. Retrieved 2010-07-29.
  12. "13m users worldwide affected by Mariposa botnet". Help Net Security. 10 March 2010. Archived from the original on 2 September 2022. Retrieved 2 September 2022.
  13. Larraz, Teresa (3 March 2010). "UPDATE 1-Spain busts ring accused of infecting 13 mln PCs". Reuters . Archived from the original on 4 June 2010. Retrieved 29 July 2010.
  14. Ragan, Steve (3 March 2010). "Mariposa botnet – 12.7 million bots strong – knocked offline". The Tech Herald. Archived from the original on 25 July 2010. Retrieved 29 July 2010.
  15. "Cyber mastermind arrested, questioned in Slovenia". WTOP-FM . Retrieved 29 July 2010.[ dead link ]
  16. "FBI, Slovenian and Spanish Police Arrest Mariposa Botnet Creator, Operators". FBI National Press Office . Washington, D.C. 28 July 2010. Archived from the original on 27 December 2013. Retrieved 27 December 2013.
  17. "FBI potrdil aretacijo štajerskega hekerja; ta že na prostosti" [FBI Confirms the Arrest of the Styrian Hacker; He Is Already at Large] (in Slovenian). 28 July 2010. Archived from the original on 2 April 2015. Retrieved 2 March 2015.
  18. "Afera Mariposa: Škorjanc se ni želel zagovarjati" [Mariposa Affair: Škorjanc Refuses to Defend Himself]. Delo.si (in Slovenian). 6 August 2012. Archived from the original on 2 April 2015. Retrieved 2 March 2015.
  19. "Creator of Mariposa Botnet Sentenced to 58 Months in Prison". Security Week. 23 December 2013. Archived from the original on 27 December 2013. Retrieved 27 December 2013.
  20. "Hacker sentenced for 'malicious' programme". IOL. 24 December 2013. Archived from the original on 27 December 2013. Retrieved 27 December 2013.
  21. "Mariposa botnet 'mastermind' jailed in Slovenia". BBC News . 24 December 2013. Archived from the original on 27 December 2013. Retrieved 27 December 2013.
  22. "Mariposa Botnet Hacker Fails with Appeal at Higher Court". Slovenian Press Agency. 5 February 2015. Archived from the original on 2015-03-08.
  23. "Eight years later, the case against the Mariposa malware gang moves forward in the US". ZDNet. 2019-06-11. Archived from the original on 2021-10-08. Retrieved 2019-06-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.