The Mariposa botnet made headlines when three of its alleged operators were arrested in Spain prior to its supposed shutdown. This was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very understandable because the botnet was reported to have already been taken down.
Lately, however, we’ve been seeing a strange increase in activity related to WORM_PALEVO—the Trend Micro detection name for malware related to the Mariposa botnet. The increase started late in the fourth quarter of 2010.
It seems that despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name—Mariposa.
We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same.
WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block.
We are keeping a close eye on this threat and will post more information on developments. Trend Micro protects product users from this threat via the Trend Micro™ Smart Protection Network™, which detects malicious links, files, and email messages related to the Mariposa botnet’s activities.