New Botnet Does Symantec Dectect it
Updated: 04 Sep 2010 | 7 comments
Saw this article today and I am trying to find more info. Does anyone know if Symantec detects it yet?
http://www.foxnews.com/story/0,2933,555901,00.html
Botnet is going by the name of Mariposa and according to the article there are many variants and most AV product do not detect it. So far I have not found much out on it out side of this article
discussion Filed Under:
Comments
Hi, From what I have read,
Hi,
From what I have read, this botnet is believed to be created from Butterfly Bot Kit.
There isnt much info on this particular threat. I will look into this and post an update sometime today.
Best,
Aniket
did you find out anything
I am hearing very little ont his but the article was enough to cause some concern.
ditto did you find out anything ??
I want to know if we're covered or not ??
Stay Tuned
Hi Rick,
This news item has been getting a lot of press lately. Symantec is aware of it and our Security Response team is currently investigating.
Often times, these threats are already detected by varius AV vendors, but under a different name.
I believe from a bit of reading that the file to watch out for at present is called sysdate.exe. Here's a link with a little more info on it from threatexpert.com : http://www.threatexpert.com/files/sysdate.exe.html
As soon as an analysis of the threat / toolkit / botnet / all components involved is complete, there will no doubt be more news on Symantec's Security Response site. Stay tuned!
In the meantime: here's a very good article about another botnet to be aware of: Zeus. https://www-secure.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits The video is an excellent illustration of the danger that is currently in circulation from these botnets.
Thanks and best regards
Mick
With thanks and best regards,
Mick
Maiposa = W32.SillyFDC
Mariposa is the name that one particular vendor uses for this threat. It does not appear to be a name that any other vendor is using. If it becomes a name in common usage we will look to change the name of our signatures.
It is not a single threat, but one with many variants. Symantec does have protection from the many variants of this threat with W32.SillyFDC signatures. We have been detecting the variants that uses the sysdate file since January of this year.
A technical write-up on "Mariposa" can be read here: http://www.symantec.com/security_response/writeup.jsp?docid=2009-080707-4052-99
Kevin
Good Blog Post
Hi Rick,
I recalled taht you were interested in this topic, and thought you might like to know that Security Response have just written a new post specifically on The Mariposa Butterfly
To distinguish this particular family from W32.SillyFDC in general, a new designation has been created: W32.Pilleuz. All the details are linked off the new blog post!
Thanks and best regards,
Mick
With thanks and best regards,
Mick
A little help
Here's a quote from a blog we wrote awhile back when we first announced Mariposa. It should help with understanding the botnet name versus the malware involved:
"Our naming of this botnet as Mariposa has been a cause of concern for some. The confusion comes when antivirus companies or those using antivirus, search for the Mariposa name only to find no results. This is because Mariposa refers to the botnet and not the malware it utilizes."
The entire blog is available here:
Mariposa Defined
A lot of other questions and a link to a more detailed analysis is available here:
www.defintel.com
Hope that helps,
Matt
Would you like to reply?
Login or Register to post your comment.