The Mariposa botnet is a network of 13 million compromised systems in more than 190 countries that is managed by a single command-and-control (C&C) server in Spain. This botnet has been dubbed one of the biggest networks of zombie PCs in cyberspace alongside the SDBOT IRC, DOWNAD/Conficker, and ZeuS botnets. Its rise to fame was recently thwarted by its shutdown and the consequent imprisonment of three of its main perpetrators.

1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 59
MARCH 15, 2010
Mariposa Botnet Uses AutoRun Worms to Spread
Mariposa, “butterfly” in Spanish, refers to a network of 13 million compromised systems in more than 190 countries worldwide that is managed by
a single command-and-control (C&C) server in Spain. This botnet has been dubbed as one of the biggest networks of zombie PCs in cyberspace
alongside the SDBOT IRC, DOWNAD/Conficker, and ZeuS botnets. Its rise to fame in May 2009, however, was recently thwarted by its
shutdown and the consequent imprisonment of three of its main perpetrators.
The Threat Defined
Clipping Mariposa's Wings
Though the Mariposa botnet first became known as
early as the second quarter of 2009, it has been in
existence as early as December 2008. Typically,
botnets carry with them binaries or malicious files that
their perpetrators use for various purposes. As the
botnet took flight toward notoriety, Trend Micro threat
analysts found WORM_AUTORUN.ZRO, a worm
retrieved from compromised systems that were found
to be part of the Mariposa botnet. This worm has the
ability to spread via instant-messaging (IM)
applications, peer-to-peer (P2P) networks, and
removable drives. Some binaries were also capable of Adapted from http://blogs.zdnet.com/security/?p=5587
spreading by exploiting a vulnerability in Internet
Figure 1. Mariposa-infected systems worldwide
Explorer (IE).
Defence Intelligence, a privately held information security firm specializing in compromise prevention and detection,
collaborated with other security companies and researchers upon spotting the Mariposa botnet to give birth to the
Mariposa Working Group (MWG). Last month, local and international authorities with the help of the MWG arrested
three Mariposa botnet administrators known as "netkairo," "jonyloleante," and "ostiator."
Flying Free on a
Cybercrime Spree
Just like any other botnet, Dias
de Pesadilla (DDP), aka the
Nightmare Days Team, used
Mariposa to make money.
Experts found out that this
botnet is being used to steal
information (e.g., credit card
numbers, bank account details,
user names and passwords to
social-networking sites, and
important files found on affected
systems’ hard drives), which
cybercriminals can use in a
number of ways. Experts also
found that DDP stole money
directly from banks using
money mules in the United
States and Canada.
Figure 2. WORM_AUTORUN.ZRO infection diagram
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
Further digging into Mariposa's business model revealed that its administrators also offered underground services
to potential clients. Some of these services include hacking servers to take control, encrypting bots to make them
invisible to security applications, and creating anonymous VPN connections to administer bots. Parts of the
Mariposa botnet are also rented out to other administrators and organizations to serve their underground business
needs.
User Risks and Exposure
More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, what users should be
most wary of are information stealers that compromise not just banking information but also a user’s identity. As
such, users are advised to keep their security solutions updated at all times.
Users also need to exercise caution when visiting malicious websites purporting to be legitimate to avoid system
infections. Finally, Mariposa binaries are automatically executed when introduced to a system via removable
devices. As such, users should disable Windows’ AutoRun feature to prevent programs on such drives from
automatically running on their systems. To maximize the security of removable drives, read "How to Maximize the
Malware Protection of Your Removable Drives."
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client
content security infrastructure that automatically blocks threats before they reach you. A global network of threat
intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive
protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow,
the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall
protection against data breaches, damage to business reputation, and loss of productivity.
Smart Protection Network™ protects users from Mariposa botnet-related attacks by detecting and preventing the
execution of WORM_AUTORUN.ZRO via the file reputation service. Non-Trend Micro product users can also stay
protected with free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with
an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users
to scan and clean their computers.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/mariposa-botnet-perpetrators-captured/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.ZRO
Other related posts are found here:
http://defintel.blogspot.com/2009/10/mariposa-defined_01.html
http://www.wired.com/threatlevel/2010/03/spain-busts-hackers-for-infecting-13-million-pcs/
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/sdbot_irc_botnet_continues_to_make_waves_pub.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/53_downadconficker_-_the_case_of_the____missing____
malware.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf
http://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/
http://blogs.zdnet.com/security/?p=5587
http://www.defintel.com/about.shtml
http://www.defintel.com/mariposa.shtml
http://research.pandasecurity.com/vodafone-distributes-mariposa/
http://www.theregister.co.uk/2010/03/04/mariposa_police_hunt_more_botherders/
http://en.wikipedia.org/wiki/Money_mule
http://technet.microsoft.com/en-us/library/cc959381.aspx
http://blog.trendmicro.com/how-to-maximize-the-malware-protection-of-your-removable-drives/
2 of 2 – WEB THREAT SPOTLIGHT