It can be recalled that Mariposa made headlines when three alleged operators were arrested in Spain prior to the supposed shutdown of the botnet itself. This incident was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very much understandable because the botnet was reported to have already been taken down.
Lately however we’ve been seeing a strange increase in activity related to WORM_PALEVO-our detection for malware related to the Mariposa botnet. The increase started late in Q4 of 2010:
It seems that despite the takedown of the Mariposa botnet (WORM_PALEVO) in early 2010, some of its C&Cs are still very much alive. Our finding was further verified as according to abuse.ch, there are currently 89 active Command and Control servers and the number seems to be growing steadily (there are 116 active C&Cs as of this writing). The list even includes the infamous URL which caused the botnet to be dubbed as Mariposa.
We’ve been able to check the variants causing the activity, and found that although the current in-the-wild samples slightly differ from the previous versions, its functions remain the same.
WORM_PALEVO is a modularized bot that is mainly used to perform DDOS attacks and download other files. Being a commercial bot, modules can be bought to add other features such as propagation methods, browser monitoring and hijacking, cookie stuffing, as well as the flooding and download routines. Its C&C communication is also based on the UDP protocol, which is typically not blocked by firewall devices.
We are keeping a close eye on this threat, and will post more information if we see any more developments. Trend Micro arms users from this threat via its Trend MicroT Smart Protection NetworkT that detects this botnet.
Leave a reply