www.pandasecurity.com
Lessons Learned from Mariposa:
Avoiding Disaster, Protecting from
Cybercrime
Sean-Paul Correll
Threa...
www.pandasecurity.com
May 2009
2
www.pandasecurity.com
October 2009
3
www.pandasecurity.com
Mariposa Working Group
Defence Intelligence
Panda Security
Georgia Tech Information Security Center
...
www.pandasecurity.com
Some of the DNS domain names
observed as C&C servers:
lalundelau.sinip.es
bf2back.sinip.es
thejackso...
www.pandasecurity.com
Early estimates
6
??????????
Command & Control
SPAIN
USA
100,000 – 200,000 Victims
PANAMA
www.pandasecurity.com7
??????????
Command & Control
SPAIN
USA
PANAMA
100,000 – 200,000 Victims SINKHOLE
www.pandasecurity.com
Timeline
December 21st 2009
Spanish LE visit to CDMON (Spanish ISP)
December 23rd 2009
All C&C domai...
www.pandasecurity.com
Staying undetected…
9
The botnet operators used
Swedish VPN providers in order
to avoid physical det...
www.pandasecurity.com
Panic at the disco!
C&C sinkhole panic allowed us to trace the
botnet operators Internet connection ...
www.pandasecurity.com
MWG: Let’s move on the arrest!
Spain LE: Not so fast!
Law enforcement roadblocks:
Owning a botnet is...
www.pandasecurity.com
Timeline
January 22nd 2010
Bot master bribed CDMON tech support to
recover booster.estr.es for €500....
www.pandasecurity.com
What did we uncover after the arrest?
13
www.pandasecurity.com
Stolen Credentials
• Personal information from over 1,000,000 victims
Credit Cards
Social Security n...
www.pandasecurity.com15
www.pandasecurity.com
Anti-detection/debugging tools…
16
www.pandasecurity.com
Anti-detection/debugging tools
17
www.pandasecurity.com
Licensing control system
18
Butterfly Bot Version
Licensing control UID
www.pandasecurity.com
Builder packed with Themida
19
www.pandasecurity.com
Timeline after initial arrest
February 10th 2010
Butterfly.bigmoney.biz recovered by Mariposa.
Moved...
www.pandasecurity.com21
Infections in 189 different countries
www.pandasecurity.com
Top 10 infected countries
22
www.pandasecurity.com
Infection statistics
31,901 infected towns and cities
23
www.pandasecurity.com
Infection statistics
24
Over half of Fortune
1000’s infected
Over 40 banks infected
www.pandasecurity.com
Why was Mariposa so successful?
25
www.pandasecurity.com
Strong AV signature evasion + Botnet Infrastructure
26
+ =
www.pandasecurity.com
Peer to Peer (P2P)
27
www.pandasecurity.com
P2P – Strengths and Weaknesses
28
Low chance of infecting corporate
networks (perimeter blocking)
Hi...
www.pandasecurity.com
USB Distribution
29
www.pandasecurity.com
USB – Strengths and Weaknesses
30
High chance of infection in corporate networks
USB enabled by defa...
www.pandasecurity.com
MSN Messenger
31
www.pandasecurity.com
MSN Messenger
32
www.pandasecurity.com
MSN Messenger – Strengths and Weaknesses
33
Moderate chance of infection in corporate networks
Somet...
www.pandasecurity.com
Exploit Kits
34
www.pandasecurity.com
Exploit kits– Strengths and Weaknesses
35
Moderate chance of infection in corporate networks
Operati...
www.pandasecurity.com
Mariposa Botnet Control Software
36
www.pandasecurity.com
Command and Control Software
37
www.pandasecurity.com38
www.pandasecurity.com39
www.pandasecurity.com40
www.pandasecurity.com41
www.pandasecurity.com42
www.pandasecurity.com43
www.pandasecurity.com
Who are these guys?
44
www.pandasecurity.com
Members Arrested
Netkairo, 31, Spain
Ostiator, 25, Spain
jonnyloleante, 30, Spain
45
DDP Team:
Dias ...
www.pandasecurity.com
What were their roles?
46
www.pandasecurity.com47
www.pandasecurity.com
Butterfly Bot Packages
48
www.pandasecurity.com
Butterfly Module Prices
49
www.pandasecurity.com
How much money were they earning?
10,000€ / month (around each 3,000)
Ads
Pay per click
Renting port...
www.pandasecurity.com51
www.pandasecurity.com52
www.pandasecurity.com53
www.pandasecurity.com
Monday, March 22nd
54
www.pandasecurity.com55
www.pandasecurity.com56
www.pandasecurity.com
Commenting on the blog
57
www.pandasecurity.com58
www.pandasecurity.com59
www.pandasecurity.com60
www.pandasecurity.com61
Iuis_corrons following Luis_Corrons
www.pandasecurity.com
D’oh!
62
www.pandasecurity.com
What are we dealing with here?
63
www.pandasecurity.com
The Slovenian Connection
64
www.pandasecurity.com65
www.pandasecurity.com66
www.pandasecurity.com
Collateral Damage?
67
Dejan Janzekovic
www.pandasecurity.com
Lessons Learned
Just shutting down botnet C&C’s does not stop the bad guys.
Arresting the bad guys d...
www.pandasecurity.com
Thank you!
Sean-Paul Correll
Threat Researcher
Panda Security, USA
Twitter: http://twitter.com/lithi...
Upcoming SlideShare
Loading in …5
×

Mariposa Botnet

1,140 views

Published on

My presentation from CSI 2010

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,140
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mariposa Botnet

  1. 1. www.pandasecurity.com Lessons Learned from Mariposa: Avoiding Disaster, Protecting from Cybercrime Sean-Paul Correll Threat Researcher Panda Security, USA
  2. 2. www.pandasecurity.com May 2009 2
  3. 3. www.pandasecurity.com October 2009 3
  4. 4. www.pandasecurity.com Mariposa Working Group Defence Intelligence Panda Security Georgia Tech Information Security Center Neustar Researchers who wish to remain anonymous In collaboration with: FBI Spanish Civil Guard 4
  5. 5. www.pandasecurity.com Some of the DNS domain names observed as C&C servers: lalundelau.sinip.es bf2back.sinip.es thejacksonfive.mobi butterfly.BigMoney.biz bfisback.sinip.es qwertasdfg.sinip.es 5
  6. 6. www.pandasecurity.com Early estimates 6 ?????????? Command & Control SPAIN USA 100,000 – 200,000 Victims PANAMA
  7. 7. www.pandasecurity.com7 ?????????? Command & Control SPAIN USA PANAMA 100,000 – 200,000 Victims SINKHOLE
  8. 8. www.pandasecurity.com Timeline December 21st 2009 Spanish LE visit to CDMON (Spanish ISP) December 23rd 2009 All C&C domains pointed to sinkhole: Cdmon, ChangeIP, Directi, GetmyIP, DynDNS December 24th 2009 New binary (2/24 @ VirusTotal) dropped. 8
  9. 9. www.pandasecurity.com Staying undetected… 9 The botnet operators used Swedish VPN providers in order to avoid physical detection. The sinkhole caused the main botnet operator to panic and connect to the infrastructure using his home DSL connection.
  10. 10. www.pandasecurity.com Panic at the disco! C&C sinkhole panic allowed us to trace the botnet operators Internet connection back to Spain. Spanish LE visits ISP to retrieve DSL customer information Time to make some arrests! 10
  11. 11. www.pandasecurity.com MWG: Let’s move on the arrest! Spain LE: Not so fast! Law enforcement roadblocks: Owning a botnet is not illegal in Spain Spanish law protects criminals Forensic skills are not up to par 11
  12. 12. www.pandasecurity.com Timeline January 22nd 2010 Bot master bribed CDMON tech support to recover booster.estr.es for €500. January 25th 2010 Bot master launches DDOS against Defence Intelligence sustained 900MB/s traffic February 3rd 2010 Bot master arrested at home by Spanish Civil Guard 12
  13. 13. www.pandasecurity.com What did we uncover after the arrest? 13
  14. 14. www.pandasecurity.com Stolen Credentials • Personal information from over 1,000,000 victims Credit Cards Social Security numbers Bank Accounts Intranet credentials Data from universities, banks, + half of Fortune 1000 companies 14 What did we uncover after the arrest?
  15. 15. www.pandasecurity.com15
  16. 16. www.pandasecurity.com Anti-detection/debugging tools… 16
  17. 17. www.pandasecurity.com Anti-detection/debugging tools 17
  18. 18. www.pandasecurity.com Licensing control system 18 Butterfly Bot Version Licensing control UID
  19. 19. www.pandasecurity.com Builder packed with Themida 19
  20. 20. www.pandasecurity.com Timeline after initial arrest February 10th 2010 Butterfly.bigmoney.biz recovered by Mariposa. Moved C&C servers to Israeli & Chinese domain registrars. February 24th 2010 Ostiator & JonnyLoleante arrested March 3rd 2010 Mariposa Final Takedown 20
  21. 21. www.pandasecurity.com21 Infections in 189 different countries
  22. 22. www.pandasecurity.com Top 10 infected countries 22
  23. 23. www.pandasecurity.com Infection statistics 31,901 infected towns and cities 23
  24. 24. www.pandasecurity.com Infection statistics 24 Over half of Fortune 1000’s infected Over 40 banks infected
  25. 25. www.pandasecurity.com Why was Mariposa so successful? 25
  26. 26. www.pandasecurity.com Strong AV signature evasion + Botnet Infrastructure 26 + =
  27. 27. www.pandasecurity.com Peer to Peer (P2P) 27
  28. 28. www.pandasecurity.com P2P – Strengths and Weaknesses 28 Low chance of infecting corporate networks (perimeter blocking) High chance of infecting home networks (piracy) APAC region had a high concentration of infections. High risk due to rampant piracy. 65% of software is pirated in India according to Business Software Alliance Study: http://bit.ly/bLlN06
  29. 29. www.pandasecurity.com USB Distribution 29
  30. 30. www.pandasecurity.com USB – Strengths and Weaknesses 30 High chance of infection in corporate networks USB enabled by default in most organizations Working from home introduces threats into the workplace. High chance of infection in home networks We use USB devices every day Knowledge of USB threat vector low
  31. 31. www.pandasecurity.com MSN Messenger 31
  32. 32. www.pandasecurity.com MSN Messenger 32
  33. 33. www.pandasecurity.com MSN Messenger – Strengths and Weaknesses 33 Moderate chance of infection in corporate networks Sometimes used for interoffice communication 31% of businesses use instant messaging according to Nielson High chance of infection in home networks 40% of home users use instant messaging according to Nielson MSN usage ranks high in most affected countries Unique social engineering capability
  34. 34. www.pandasecurity.com Exploit Kits 34
  35. 35. www.pandasecurity.com Exploit kits– Strengths and Weaknesses 35 Moderate chance of infection in corporate networks Operating system updates are most likely enforced via policy Non system software updates are most likely not enforced via policy Antivirus software installed by default High chance of infection in home networks Operating system updates not always installed. Non system software updates are almost never installed (unless forced) Antivirus software may not be installed
  36. 36. www.pandasecurity.com Mariposa Botnet Control Software 36
  37. 37. www.pandasecurity.com Command and Control Software 37
  38. 38. www.pandasecurity.com38
  39. 39. www.pandasecurity.com39
  40. 40. www.pandasecurity.com40
  41. 41. www.pandasecurity.com41
  42. 42. www.pandasecurity.com42
  43. 43. www.pandasecurity.com43
  44. 44. www.pandasecurity.com Who are these guys? 44
  45. 45. www.pandasecurity.com Members Arrested Netkairo, 31, Spain Ostiator, 25, Spain jonnyloleante, 30, Spain 45 DDP Team: Dias De Pesadilla Team – Nightmare Days Team
  46. 46. www.pandasecurity.com What were their roles? 46
  47. 47. www.pandasecurity.com47
  48. 48. www.pandasecurity.com Butterfly Bot Packages 48
  49. 49. www.pandasecurity.com Butterfly Module Prices 49
  50. 50. www.pandasecurity.com How much money were they earning? 10,000€ / month (around each 3,000) Ads Pay per click Renting portions of the botnet Post data grabber (stealing credentials) 50
  51. 51. www.pandasecurity.com51
  52. 52. www.pandasecurity.com52
  53. 53. www.pandasecurity.com53
  54. 54. www.pandasecurity.com Monday, March 22nd 54
  55. 55. www.pandasecurity.com55
  56. 56. www.pandasecurity.com56
  57. 57. www.pandasecurity.com Commenting on the blog 57
  58. 58. www.pandasecurity.com58
  59. 59. www.pandasecurity.com59
  60. 60. www.pandasecurity.com60
  61. 61. www.pandasecurity.com61 Iuis_corrons following Luis_Corrons
  62. 62. www.pandasecurity.com D’oh! 62
  63. 63. www.pandasecurity.com What are we dealing with here? 63
  64. 64. www.pandasecurity.com The Slovenian Connection 64
  65. 65. www.pandasecurity.com65
  66. 66. www.pandasecurity.com66
  67. 67. www.pandasecurity.com Collateral Damage? 67 Dejan Janzekovic
  68. 68. www.pandasecurity.com Lessons Learned Just shutting down botnet C&C’s does not stop the bad guys. Arresting the bad guys doesn’t stop them either  Signature based Antivirus detection isn’t good enough. Signatures can take weeks to develop. Cyber legislation needs significant improvements to adapt to the current threat landscape situation Communication with law enforcement is often one-way and difficult, but results are better than simple shutdowns. 68
  69. 69. www.pandasecurity.com Thank you! Sean-Paul Correll Threat Researcher Panda Security, USA Twitter: http://twitter.com/lithium E-mail: lithium@us.pandasecurity.com

×