Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Jailing the Butterfly

Created: 02 Mar 2010 23:52:16 GMT • Updated: 23 Jan 2014 18:29:08 GMT
Vikram Thakur's picture
+1 1 Vote
Login to vote

In October 2009 we started tracking the Mariposa, or Butterfly, botnet. At that time, a security company had reported that a large number of Fortune 100 companies had been infected with this threat. Earlier today, news came out that the same firm had worked with the appropriate authorities in arresting alleged key members of the Mariposa botnet.

Back in October 2009 we also blogged about this bot's capabilities, in a brief post called The Mariposa Butterfly. Later that month we were able to get our hands on a toolkit being sold in underground forums that clearly demonstrated the bot's capabilities. More information about that is available in The Mariposa / Butterfly Bot Kit.

Symantec products detect this malicious worm under multiple names, the most prominent of which is W32.Pilleuz. Pilleuz and its variants have been extremely active over the past several months. The threat itself has multiple capabilities. It is able to spread via USB devices, instant messaging clients, and P2P. It has the ability to steal credentials and personal information, as well as accept commands from its command-and-control (C&C) server. One such command could be to flood network traffic to a certain domain, thereby performing a distributed denial of service (DDoS).

This threat is most certainly widely distributed. For a short period’s sample data, here is a listing of the top countries with Pilleuz infections:

pil-country.PNG

The same sample period’s infection numbers seen are as follows:

pil-count.PNG

As we mentioned before, details about what role the arrested people played in Pilleuz’s day-to-day operations are still sketchy. We’re hopeful that these arrests will have a significant impact on the infections that we’re seeing. In any case, Symantec Security Response will continue to monitor the activity this threat shows and update protection as warranted.