Mariposa Botnet on Comeback Trail

Tuesday, May 31, 2011 @ 04:05 PM gHale

Mariposa, once one of the largest botnets in the world, is growing back to its former self, said security researchers.

Mariposa (Butterfly) was the name given to a particular botnet, which at its peak, consisted of as many as 12 million infected computers spread across 190 countries.

The Mariposa botnet was a variant of Palevo or Rimecud worm, which is capable of spreading using a variety of methods, including exploiting Windows vulnerabilities, copying itself to removable storage devices and network shares, as well as sending itself over instant messaging and p2p file sharing programs, said researchers at Trend Micro.

Mariposa underwent dismantling in March 2010 by the Spanish authorities when they arrested the lead bot hearder and two of his accomplices.

In July the same year, the Slovenian Criminal Police arrested an individual suspected of being the lead developer behind Palevo.

Following these events, the worm’s activity registered a steep decline, however, according to researchers from Trend Micro, the malware is gaining traction again.

“Lately however we’ve been seeing a strange increase in activity related to WORM_PALEVO—our detection for malware related to the Mariposa botnet. The increase started late in Q4 of 2010,” Trend Micro researchers wrote.

The worm is almost as active now as in Q1 2010 when officials took it down. Abuse tracking website, said there are currently 118 Palevo command and control servers tracked.

The new Palevo variants are largely similar in functionality to the old versions. Due to its modularized architecture, the worm can easily model to whatever purpose cyber criminals desire.

There are modules for DDoS, malware distribution, browser monitoring and hijacking, cookie stuffing and other functions. “We are keeping a close eye on this threat,” the Trend Micro researchers said.

As always, users should exercise caution when dealing with links received via instant messaging programs, social networking sites and emails. Running a capable and up-to-date antivirus program is also a must.

Leave a Reply

You must be logged in to post a comment.