Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.


                       ...
Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.


Further digging into Ma...
Upcoming SlideShare
Loading in …5
×

Mariposa Botnet Uses Autorun Worms to Spread

1,011
-1

Published on

The Mariposa botnet is a network of 13 million compromised systems in more than 190 countries that is managed by a single command-and-control (C&C) server in Spain. This botnet has been dubbed one of the biggest networks of zombie PCs in cyberspace alongside the SDBOT IRC, DOWNAD/Conficker, and ZeuS botnets. Its rise to fame was recently thwarted by its shutdown and the consequent imprisonment of three of its main perpetrators.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,011
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mariposa Botnet Uses Autorun Worms to Spread

  1. 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 59 MARCH 15, 2010 Mariposa Botnet Uses AutoRun Worms to Spread Mariposa, “butterfly” in Spanish, refers to a network of 13 million compromised systems in more than 190 countries worldwide that is managed by a single command-and-control (C&C) server in Spain. This botnet has been dubbed as one of the biggest networks of zombie PCs in cyberspace alongside the SDBOT IRC, DOWNAD/Conficker, and ZeuS botnets. Its rise to fame in May 2009, however, was recently thwarted by its shutdown and the consequent imprisonment of three of its main perpetrators. The Threat Defined Clipping Mariposa's Wings Though the Mariposa botnet first became known as early as the second quarter of 2009, it has been in existence as early as December 2008. Typically, botnets carry with them binaries or malicious files that their perpetrators use for various purposes. As the botnet took flight toward notoriety, Trend Micro threat analysts found WORM_AUTORUN.ZRO, a worm retrieved from compromised systems that were found to be part of the Mariposa botnet. This worm has the ability to spread via instant-messaging (IM) applications, peer-to-peer (P2P) networks, and removable drives. Some binaries were also capable of Adapted from http://blogs.zdnet.com/security/?p=5587 spreading by exploiting a vulnerability in Internet Figure 1. Mariposa-infected systems worldwide Explorer (IE). Defence Intelligence, a privately held information security firm specializing in compromise prevention and detection, collaborated with other security companies and researchers upon spotting the Mariposa botnet to give birth to the Mariposa Working Group (MWG). Last month, local and international authorities with the help of the MWG arrested three Mariposa botnet administrators known as "netkairo," "jonyloleante," and "ostiator." Flying Free on a Cybercrime Spree Just like any other botnet, Dias de Pesadilla (DDP), aka the Nightmare Days Team, used Mariposa to make money. Experts found out that this botnet is being used to steal information (e.g., credit card numbers, bank account details, user names and passwords to social-networking sites, and important files found on affected systems’ hard drives), which cybercriminals can use in a number of ways. Experts also found that DDP stole money directly from banks using money mules in the United States and Canada. Figure 2. WORM_AUTORUN.ZRO infection diagram 1 of 2 – WEB THREAT SPOTLIGHT
  2. 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. Further digging into Mariposa's business model revealed that its administrators also offered underground services to potential clients. Some of these services include hacking servers to take control, encrypting bots to make them invisible to security applications, and creating anonymous VPN connections to administer bots. Parts of the Mariposa botnet are also rented out to other administrators and organizations to serve their underground business needs. User Risks and Exposure More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, what users should be most wary of are information stealers that compromise not just banking information but also a user’s identity. As such, users are advised to keep their security solutions updated at all times. Users also need to exercise caution when visiting malicious websites purporting to be legitimate to avoid system infections. Finally, Mariposa binaries are automatically executed when introduced to a system via removable devices. As such, users should disable Windows’ AutoRun feature to prevent programs on such drives from automatically running on their systems. To maximize the security of removable drives, read "How to Maximize the Malware Protection of Your Removable Drives." Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client content security infrastructure that automatically blocks threats before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity. Smart Protection Network™ protects users from Mariposa botnet-related attacks by detecting and preventing the execution of WORM_AUTORUN.ZRO via the file reputation service. Non-Trend Micro product users can also stay protected with free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/mariposa-botnet-perpetrators-captured/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.ZRO Other related posts are found here: http://defintel.blogspot.com/2009/10/mariposa-defined_01.html http://www.wired.com/threatlevel/2010/03/spain-busts-hackers-for-infecting-13-million-pcs/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/sdbot_irc_botnet_continues_to_make_waves_pub.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/53_downadconficker_-_the_case_of_the____missing____ malware.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf http://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/ http://blogs.zdnet.com/security/?p=5587 http://www.defintel.com/about.shtml http://www.defintel.com/mariposa.shtml http://research.pandasecurity.com/vodafone-distributes-mariposa/ http://www.theregister.co.uk/2010/03/04/mariposa_police_hunt_more_botherders/ http://en.wikipedia.org/wiki/Money_mule http://technet.microsoft.com/en-us/library/cc959381.aspx http://blog.trendmicro.com/how-to-maximize-the-malware-protection-of-your-removable-drives/ 2 of 2 – WEB THREAT SPOTLIGHT

×