Butterfly botnet morph is bigger, badder than Mariposa

By on
Butterfly botnet morph is bigger, badder than Mariposa

Botnet grows new wings.

The infamous Mariposa botnet once obliterated has regrown wings into a new network that has infected machines in 172 countries and is said to even more dangerous.

The new network grew from the ashes of Mariposa, a Spanish word for butterfly, which was one of the world's largest botnets that at its height controlled up to 12 million infected machines before its destruction in December 2009.

It uses the same worm software, dubbed Butterfly bot, to infect hosts, but experts say it is "larger than Mariposa".

Researchers Matt Thompson and Meaghan Molloy from botnet monitoring firm Unveillance, along with Mariposa Working Group partner Panda Security, have collected and analysed several thousand unique variants of malicious software associated with Butterfly bot.

The research found that Butterfly is polymorphic malware that spreads via removable drives such as USB keys and those infected often find themselves in a perpetual cycle of reinfection.

Luis Corrons, technical director of PandaLabs, said that the framework of Butterfly allows any botmaster to run a Butterfly-type botnet.

Corrons, who was heavily involved with the takedown of Mariposa and met with the controllers, said that it was a distinctive botnet as it was heavily customised.

“The key here is that during the Mariposa case, we discovered the licensing mechanism inside the Butterfly bot client that is tied to the command and control server addresses," Corrons said.

"These licenses are in the form of botmaster nicknames, which are then again tied to the sales made to all botmasters who purchased a Butterfly botnet."

In early June, news reports from eastern European said that a law enforcement task force, including the FBI, Interpol, the Serbian Ministry of Internal Affairs and the Slovenian Police, resulted in the arrest of two men charged with stealing several hundred thousand dollars while running a botnet.

“Since the Butterfly framework creator was arrested and his computers confiscated, it is safe to assume that law enforcement has a very good insight into who is running any Butterfly-based botnet out there."

“What is strange is that given the above information being public since the Mariposa arrests last year in Spain and Slovenia, botmasters are still depending on Butterfly framework to run their botnets. Obviously those botmasters are either not concerned about going to jail or just plain stupid.”

The Butterfly bot kit costs $500 for a basic option with the external downloader, USB and MSN spreaders.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?