The Mariposa botnet, discovered December 2008, is a

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...

mainly involved in cyberscamming and

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...

s. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual

zombie computer In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...

s infected with the "Butterfly (''mariposa'' in Spanish) Bot", making it one of the largest known botnets.

History

Origins and initial spread

The botnet was originally created by the DDP Team ( Spanish: ''Días de Pesadilla Team'', English: ''Nightmare Days Team''), using a malware program called "Butterfly bot", which was also sold to various individuals and organisations. The goal of this malware program was to install itself on an uninfected PC, monitoring activity for passwords, bank credentials and credit cards. After that the malware would attempt to self-propagate to other connectible systems using various supported methods, such as MSN,

P2P P2P may refer to: * Pay to play, where money is exchanged for services * Peer-to-peer, a distributed application architecture in computing or networking ** List of P2P protocols * Phenylacetone, an organic compound commonly known as P2P * Poin ...

and

USB Universal Serial Bus (USB) is an industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers. A broad ...

. After completing its initial infection routine the malware would contact a command-and-control server within the botnet. This command and control server could be used by the controllers of the botnet, in order to issue orders to the botnet itself.

Operations and impact

The operations executed by the botnet were diverse, in part because parts of the botnet could be rented by third party individuals and organizations. Confirmed activities include

e-mail spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...

, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads. Due to the size and nature of a botnet its total financial and social impact is difficult to calculate, but initial estimates calculated that the removal of the malware alone could cost "tens of millions of dollars". After the apprehension of the botnet's operators government officials also discovered a list containing personal details on 800,000 individuals, which could be used or sold for

Identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term ''identity theft'' was c ...

purposes. The countries most infected by the botnet were India, Mexico, Brazil and South Korea.

Dismantling

In May 2009 the Mariposa Working Group (MWG) was formed as an informal group, composed of

Defence Intelligence Defence Intelligence (DI) is an organisation within the United Kingdom intelligence community which focuses on gathering and analysing military intelligence. It differs from the UK's intelligence agencies (MI6, GCHQ and MI5) in that it is an ...

, the

Georgia Tech Information Security Center Georgia most commonly refers to: * Georgia (country), a country in the Caucasus region of Eurasia * Georgia (U.S. state), a state in the Southeast United States Georgia may also refer to: Places Historical states and entities * Related to the ...

and

Panda Security Panda Security is a Spanish cybersecurity software company that specializes in creating products for IT security. Panda Security started with antivirus software, and the company now also provides and develops cybersecurity software. This includ ...

, along with additional unnamed security researchers and law enforcement agencies. The goal of this group was the analysis and extermination of the Mariposa botnet itself. On 23 December 2009 the Mariposa Working Group managed to take control of the Mariposa Botnet, after seizing control of the command-and-control servers used by the botnet. The operational owners of the botnet eventually succeeded in regaining control over the botnet, and in response launched a

on Defence Intelligence. The attack itself managed to knock out Internet connectivity for a large share of the ISP's customers, which included several Canadian universities and government agencies. On 3 February 2010, the Spanish national police arrested Florencio Carro Ruiz (alias: Netkairo) as the suspected leader of the DDP Team. Two additional arrests were made on 24 February 2010. Jonathan Pazos Rivera (alias: Jonyloleante) and Juan José Ríos Bellido (alias: Ostiator) were arrested on the suspicion of being members of DDP. On 18 July 2010, Matjaž Škorjanc (alias: Iserdo), the creator of the "Butterfly bot" malware, was arrested in Maribor by

Slovenian police The Slovenian National Police Force is the national government agency that handles the responsibility of law enforcement of the Republic of Slovenia. It is composed of the eight police directorates in Celje, Koper, Kranj, Ljubljana, Maribor, Mu ...

for the first time, but released due to lack of evidence. He was arrested again in October 2011. In December 2013 Škorjanc was convicted in Slovenia of "creating a malicious computer program for hacking information systems, assisting in wrongdoings and money laundering." He was sentenced to 4 years and 10 months imprisonment and fined

€ The euro sign () is the currency sign used for the euro, the official currency of the eurozone and unilaterally adopted by Kosovo and Montenegro. The design was presented to the public by the European Commission on 12 December 1996. It consists ...

3,000 ($3,000). The court also ordered the seizure of Škorjanc's property acquired with the proceeds of crime. After he appealed the verdict his fine was in February 2015 raised for additional 25,000 EUR. On 5 June, 2019, US law enforcement opened a new case in the operations of the Mariposa (Butterfly Bot, BFBOT) malware gang. FBI has moved forward with new charges and arrest warrants against four suspects including

NiceHash NiceHash is a global cryptocurrency hash power broker and cryptocurrency exchange with an open marketplace that connects sellers of hashing power (cryptominers) with buyers of hashing power using the sharing economy approach. The company provid ...

's operator Matjaž Škorjanc.

References

External links

Analysis of the Mariposa botnet
{{DEFAULTSORT:Mariposa Botnet Internet security Multi-agent systems Distributed computing projects Spamming Botnets Cybercrime in India