Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

The Mariposa Butterfly

Created: 01 Oct 2009 14:12:07 GMT • Updated: 23 Jan 2014 18:32:28 GMT
John McDonald's picture
+3 3 Votes
Login to vote

There has been a flurry of news articles over the past few days on what the media appears to have labeled the Mariposa botnet, after the name a Canadian information security firm used for this particular threat. The ‘butterfly’ in the title of this article refers to the fact that the threat is believed to stem from the Butterfly bot kit, which is no longer for sale.

Several security vendors have commented that this threat isn't new, and indeed Symantec has been detecting variants of it since as early as January this year. We currently have various detection names for these samples, the majority of which are one variant or another of W32.SillyFDC, Trojan Horse or more recently Packed.Generic.248. Other vendors also report a range of different detections for these files. For example, F-Secure reported they detect it as either Palevo or Vaklik.

Given that this threat certainly isn't new, it's a little surprising to see such a sudden interest in it. Even Andrew Addison, spokesman for the Canadian Bankers Association, said that banks are aware of the threat, that it hasn't breached their security systems, and that there has been little-to-no-impact from it.  Still, it doesn't hurt to bring a potential security risk such as this to people's attention.

For clarification, we have created a new detection for the threat and called it W32.Pilleuz. Briefly, here’s what the threat does:

  • It spreads through file-sharing programs, Microsoft instant messaging clients, and removable drives.
  • It opens a back door on the compromised computer, essentially giving a remote attacker full control over the compromised computer.
  • It uses a variety of packing techniques.
  • It communicates with remote servers at the following network addresses:
    - qwertasdfg.sinip.es
    - butterfly.sinip.es
    - bfisback.no-ip.org

mariposa.jpg
Figure 1: Packet-capture example of W32.Pilleuz contacting the network addresses.

Symantec Security Response will continue to monitor the progress of this threat and update our protection as required, but for now there is little reason to panic. That is, of course, unless you are running without a comprehensive and regularly updated security suite, or you own or manage a business environment and don't have a proper information security policy in place. In that case, I'd run for the hills.

---------------
My thanks to my colleague Masaki Suenaga for his help researching this blog post.