Botnet
Posted on | September 29, 2009
Half of the Fortune 100 are infected?
Since its discovery in May of 2009 we’ve identified Mariposa activity in tens of thousands of unique corporate networks. Over 70 variants have been identified with varying degrees of security and purpose, including code injection into known processes, email address harvesting, and additional malware downloads. The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection, but it does not reveal the number of controllers or the exact motivation behind the overall threat.
Believed to stem from the butterfly bot kit, formerly sold at bfsecurity.net, this botnet is successfully spreading across thousands of corporate networks, just as it was designed to do. From the bfsecurity.net site, butterflybot is a
“Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]”
Other methods may now be in place for propagation as well as capabilities for the bf botkit, but the original add-on features included Firefox and IE password harvesting, and TCP/UDP flooding. NetBIOS worm propagation and email address harvesting also appear to have become common additions.
