Thursday, 24 de April de 2014

Ficha del recurso:

Fuente:

Vínculo original en SC Magazine
Angela Moscaritolo

Fecha de publicación:

Friday, 12 de March de 2010

Última actualización:

Friday, 12 de March de 2010

Entrada en el observatorio:

Friday, 12 de March de 2010

Idioma:

Inglés

Archivado en:


Analysts pick apart "huge" Mariposa botnet

One of the largest networks of compromised computers ever seen.

An analysis of the dismantled Mariposa botnet has revealed that it consisted of 13 million infected PCs spanning 190 countries and 31,901 cities worldwide, according to anti-virus vendor Panda Security.

The botnet, which took its name from the Spanish word for 'butterfly', infected PCs from almost every country around the world, stealing account information for social media sites, online email services, usernames and passwords, banking credentials, and credit card data, according to Panda. Compromised IP addresses included personal, corporate, government and university computers.

“It's huge,” Christopher Davis, CEO for information security firm Defence Intelligence, which first discovered Mariposa, told SCMagazineUS.com. “It's certainly one of the biggest [botnets] I have ever seen.”

The top five countries, by number of Mariposa-infected computers, were India, Mexico, Brazil, Korea and Colombia, according to Panda.

The investigation into the botnet is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars, Sean-Paul Correll, threat researcher at Panda, told SCMagazineUS.com.

“The primary motivation in cases like these is for the cybercriminals to reap financially,” he said.

After Mariposa was discovered last May, a group of international security experts and law enforcement agencies joined forces and formed what they called the Mariposa Working Group to disarm the botnet and prosecute the offenders.

Members of the working group were able to take control of the botnet's command-and-control structure that allowed attackers to relay information to and from compromised computers. The group then coordinated a worldwide shutdown of the botnet that occurred on December 23.

“It was a really good coordination between companies that have to make money, researchers that don't really care about making money and law enforcement who can't really share what they are doing with us,” Davis said.

As a result of the collaboration, the primary botnet operators, nicknamed “Netkairo” and “hamlet1917”, as well as their partners “Ostiator” and “Johnyloleante”, were arrested by Spanish law enforcement earlier this month.

In addition, members of the working group were able to redirect all bots to communicate with a server controlled by the group. This allowed security researchers to conduct the analysis of the botnet.

The malware was designed to spread through USB drives, instant messenger programs and on peer-to-peer (P2P) networks, Matt Thompson, principal developer at Defence Intelligence, who reverse-engineered the malware, told SCMagazineUS.com. In addition, the malware attempted to spread on Microsoft's Internet Explorer (IE) 6 browser.

One way attackers spread the malware was by sending out malicious links in instant messages on MSN Messenger, Thompson said. When a user clicked on the link, it brought up a page that appeared to be an update for Adobe Flash Player. If that page was viewed using IE 6, the malware would be automatically installed via drive-by download, requiring no user interaction.

Once infected by Mariposa, the botmaster installed different malware, including keyloggers and banking trojans to gain additional functionality from infected PCs.

More than 2.7 million, or 19 percent, of all infected IP addresses were located in India, making it the top Mariposa-infected country, according to Panda Security's analysis. Mexico came in second with approximately 1.8 million or 12.8 percent of infected IP addresses, followed by Brazil, then Korea, each with more than one million infected, and Colombia, with approximately 700,000.

Rounding out the top 10 of countries with the most Mariposa bots were Russia, Egypt, Malaysia, Ukraine and Pakistan, each with at least 360,000 infected IP addresses.

The malware is still present on many PCs and USB drives, so it still spreading, Davis said.

See original article on scmagazineus.com

Secure Computing Magazine