Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

The Mariposa / Butterfly Bot Kit

Created: 07 Oct 2009 21:00:54 GMT • Updated: 23 Jan 2014 18:32:23 GMT
Peter Coogan's picture
+3 3 Votes
Login to vote

We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):

a) Features of bot base

1. Polymorphic code and strings
    code related to bot functionality is encoded
    everytime with different key, same goes for
    strings
2. Installation into hidden location
    installs into location where it is impossible
    to access with windows explorer
3. Direct code injection into explorer.exe (DCI)
    injects whole bot into remote process without
    leaving any .dll behind
4. Registry startup method
    method that works on all winnt versions,
    including limited accounts (guest)
5. Executable file guard
    when bot is running (injected), bot file can
    not be deleted
6. Process monitor
    small code injected into another non-explorer.exe
    process which monitors explorer.exe; if explorer
    crashes, the bot is restarted and can reinject
    code into explorer.exe
7. Anti-x
    anti vmware, virtualpc, debugger 1 & 2, anubis,
    TE, sandbox, norman sandbox, sunbelt sandbox
8. Own protocol
    udp (no connections logged), acks and sequences
    so packets are reliable transmitted, encoded traffic,
    bitstreams, unlimited number of clients supported
9. Download/update/remove
10. TCP (SYN) and UDP flood
11. Firefox 2.x, Firefox 3.x password harvesting
12. Internet Explorer 6, Internet Explorer 7 password harvesting
13. Reverse Socks4, Socks5, HTTP socks

b) features of spreaders

1:MSN spreader
    hooks send function in msnmsgr process and hijack
    certain message, replacing it with custom link,
    msn process monitor (waits for msnmsgr, checks if
    same msnmsgr process running, else restart spreader)

2:P2P spreader
    supports: ares, bearshare, imesh, shareaza, kazaa,
    dcplusplus, emule, emuleplus, limewire
    obtains sharing folder out of registry or config
    files (100% accurate sharing folders)
    option to autospread with names of latest warez files
    obtained from certain warez website.

3:USB spreader
    using windows messages to get informed when usb device
    has been inserted; the spreader is very very fast and
    it locks down autorun.inf file even before explorer.exe
    can read it to launch autorun (so no other malware
    can infect infected machine via usb spreading). the
    autorun.inf file stays locked from reading or deleting
    until user decides to safely remove device from the system

Symantec has confirmed some of the capabilities mentioned to be correct, but as of yet has not confirmed them all. The screenshot below is from our analysis and shows a newly infected system joining the botnet through the Butterfly master console:

butterfly_screen.jpg

To date, Symantec data shows the following breakdown of the top 10 countries reporting infections due to the Butterfly bot kit:

butterfly_graph.jpg

As stated in our previous blog, Symantec detects this threat as W32.Pilleuz. It may also be detected as Packed.Generic.248 and Packed.Generic.255.