We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):
a) Features of bot base 1. Polymorphic code and strings code related to bot functionality is encoded everytime with different key, same goes for strings 2. Installation into hidden location installs into location where it is impossible to access with windows explorer 3. Direct code injection into explorer.exe (DCI) injects whole bot into remote process without leaving any .dll behind 4. Registry startup method method that works on all winnt versions, including limited accounts (guest) 5. Executable file guard when bot is running (injected), bot file can not be deleted 6. Process monitor small code injected into another non-explorer.exe process which monitors explorer.exe; if explorer crashes, the bot is restarted and can reinject code into explorer.exe 7. Anti-x anti vmware, virtualpc, debugger 1 & 2, anubis, TE, sandbox, norman sandbox, sunbelt sandbox 8. Own protocol udp (no connections logged), acks and sequences so packets are reliable transmitted, encoded traffic, bitstreams, unlimited number of clients supported 9. Download/update/remove 10. TCP (SYN) and UDP flood 11. Firefox 2.x, Firefox 3.x password harvesting 12. Internet Explorer 6, Internet Explorer 7 password harvesting 13. Reverse Socks4, Socks5, HTTP socks b) features of spreaders 1:MSN spreader hooks send function in msnmsgr process and hijack certain message, replacing it with custom link, msn process monitor (waits for msnmsgr, checks if same msnmsgr process running, else restart spreader) 2:P2P spreader supports: ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire obtains sharing folder out of registry or config files (100% accurate sharing folders) option to autospread with names of latest warez files obtained from certain warez website. 3:USB spreader using windows messages to get informed when usb device has been inserted; the spreader is very very fast and it locks down autorun.inf file even before explorer.exe can read it to launch autorun (so no other malware can infect infected machine via usb spreading). the autorun.inf file stays locked from reading or deleting until user decides to safely remove device from the system
Symantec has confirmed some of the capabilities mentioned to be correct, but as of yet has not confirmed them all. The screenshot below is from our analysis and shows a newly infected system joining the botnet through the Butterfly master console:
To date, Symantec data shows the following breakdown of the top 10 countries reporting infections due to the Butterfly bot kit:
As stated in our previous blog, Symantec detects this threat as W32.Pilleuz. It may also be detected as Packed.Generic.248 and Packed.Generic.255.