Last week, we talked about the Tequila botnet that was targeting Mexican users. Since our last post, there has been one big development—the botnet appears to have been taken down by the owners themselves.
On Thursday (June 3, 2010), the botnet’s controllers sent out new instructions to all of the active bots. One of the effects of this was to stop all of the bots’ phishing attacks perhaps because our own post exposed all of the proxy servers and redirected the hosts used in those attacks.
We were also able to find another botnet developed by the same person behind the Tequila botnet. This particular botnet, which we have called the Mariachi botnet, is not as feature rich as the Tequila botnet. It could be used to mount phishing attacks or to install software onto affected systems but those appear to have been its main capabilities.
This Monday (June 7), however, both the Mariachi and Tequila botnets went offline after their command-and-control (C&C) servers were taken down. The Mariachi botnet’s C&C server appears to have been taken down by its hosting provider, Bluehost.
Soon afterward, the Tequila botnet’s C&C server went offline as well.
We have not seen any new activity out of either the Mariachi or the Tequila botnet since then although we are continuing to monitor the now-orphaned bots for any new activity.
Once again, we express our thanks to Juan Castro of Trend Micro LAR for all the information he passed on about these botnets.