Friday, October 9, 2009

Mariposa Botnet Analysis



*** Update ***

An updated version of the Mariposa Technical Analysis can be found at http://defintel.com/docs/Mariposa_Analysis.pdf

***

Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

  • lalundelau.sinip.es
  • bf2back.sinip.es
  • thejacksonfive.mobi
  • butterfly.BigMoney.biz
  • bfisback.sinip.es
  • qwertasdfg.sinip.es

Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at defintel.com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)