Mariposa and BlackEnergy DDOS

Talk of Mariposa may have faded, but the botnet is still very active. Some new occurrences have been observed here and merit reporting for those still following the story.

The origins of the Mariposa botnet for Defence Intelligence goes back to the observance of a suspicious domain that was being queried for quite frequently.

Butterfly.bigmoney.biz had popped up in our radar as unusual in both its name and the volume of queries for it that were being made. With some fairly extensive analysis, our investigation revealed some other domains of interest:

butterfly.sinip.es
bfisback.sinip.es
qwertasdfg.sinip.es

These four, butterfly.bigmoney.biz included, had proved to be command and control domains for the botnet.

On October 4th an update occurred and new domains were contacted.

lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi

The latter of these has taken on a much different role over time. Communication to 200.74.244.84, where thejacksonfive.mobi was also pointed, was readily seen after the 4th. Various commands to Mariposa were being issued from this IP, including one to spread itself across MSN using the drop site URL http://obamawebcam.com/load.php. The file to be dropped was named bin.exe but the spread on our test system was ineffective at the time. A Virustotal report showed detections as palevo as many of the malware behind Mariposa are labeled. Several other binaries were also downloaded, most of them from rapidshare.com.

Recently, on November 3rd, a new binary was grabbed from rapidshare as instructed by butterfly.bigmoney.biz. This file, named blackjackson.exe, was found to be version 1.92 of the BlackEnergy DDOS bot and along with its installation came a new C&C domain, thejacksonfive.us. Both thejacksonfive.us and thejacksonfive.mobi are now also used as web based GUI controls for BlackEnergy.



A good writeup on BlackEnergy can be found in Arbor's BlackEnergy+DDoS+Bot+Analysis.pdf. A third related domain, tamiflux.net, is also used as a web interface for the DDOS malware and is currently the only one blacklisted by Firefox.

On November 4th, thejacksonfive.us issued a command to begin an HTTP GET request flood of three domains and one IP:

al-hora.net
saaid.net
islamlight.net
74.86.18.4 (the IP address for saaid.net)

These Saudi Arabian sites appear to be forums for religious and regional political discussion so the motivation behind the attacks may also be religious or political. Al-hora.com has been targeted for "censorship" for quite some time now and has apparently been kept offline since December 2007. Read more at www.rsf.org. Currently, of the sites being targeted, only saaid.net has managed to recover from the attacks.

On November 5th, thejacksonfive.us site changed orders to alter the attack slightly, using a syn flood instead of a GET request flood and only targeting islamlight.net and saaid.net. This alteration was likely made in response to saaid.net's sustained presence online. (They talk about the attack on the home page.) Tamiflux.net is HTTP flooding the same domains.

Gaining some insight into the attacks we've discovered that the DDOS botnet has about 5500 members under active control at any given time, and over 60,000 unique compromised systems. This is rather small however compared to the 1.5 million unique computers we believe to be members of the Mariposa botnet.

The Mariposa botnet has continued to grow in size since we first observed it in May and has far surpassed our original estimation of 150 to 200k compromised systems. The distribution of compromised systems is fairly wide but concentrations are obvious in Central America, Europe and South Korea.

MaCatte's green roots are showing.

As an update to my previous post on GreenAV, it seems that they are still trying to "Save the green forests of Amazonia" by having you install rogue antivirus.

MaCatte is the newest rogue AV to appear and has ties to the GreenAV software that was recently promoted , all the websites sharing the same IP 174.142.96.2

express.greencustomersupport.com
green-av-2010-pro.com
green-av-2010.com
green-av-pre.com
green-av-pro.com
macatte.com
my-green-av-pre.com
my-green-av-pro.com
my-green-av.com
p4678z.my-green-av.com
progresivescan.info
zp4.green-av.com
zp45.green-av-pro.com

In fact, going to express.greencustomerssupport.com will take you to the MaCatte homepage. MaCatte, like so many other rogue AVs, runs fake scans on the machine and advises the user that the machine is infected, and that they will gladly remove the infections as long as one pays to register the product for $99. Macatte is propagating in the same manner as GreenAV through torrent sites, website redirection and freeware.

MaCatte seems to be attempting to ride the coat tails of McAfee, with the similar name, logo and also similar website design. Included features on the site are a lovely challange-response captcha in the support section to ensure that the support requests are generated by an actual person and not a machine. There is a "Latest Threads Detected" box that lists a few common threats such as Conficker, and if you actually want to buy the product for $99 there is a link to plimus.com's payment processing. (At the time of writing, the order page at plimus.com was currently unavailable.) It would be interesting to see stats on how many people actually land on that payment page for MaCatte.

Plimus.com is a company that offers payment processing for online businesses and takes a commission rate from each sale. Your own conclusions can be drawn regarding Plimus' track record after reading Google's Safe Browsing diagnostic page for Plimus also the reviews on Web of Trust. Norton did have the site flagged as unsafe for selling key logger software but has since changed its rating to safe. Also, the Plimus site does show a McAfee and Verisign Secure logo at the bottom of their page. I am unsure at this time if the Plimus website is in fact MaCatte secure or not.

MaCatte offers to detect, block, and remove viruses, spyware and rootkits with a quick scan. The program also has an anti-phishing component that is supposed to warn you before accessing dangerous scam websites like their own. The feature that looks the most interesting is the Identity Protection. “Let's you shop, bank and trade online safely by asking permission before personally identifiable information like PIN'S, Bank accounts, Social Security numbers are sent from your machine.” I do not believe the effectiveness or honesty behind these statements.

Currently there are no removal tools readily available to the public, but for now you are able to do a system restore back to a `pre-infection` restore point. Although there have been reports that MaCatte has added a feature to block attempts to do a system restore. So if you are infected with MaCatte Rogue AV, you might as well reformat.

MaCatte is just another rendition of Rogue Antivirus using fake scans and scareware tactics to con people into paying for their software while selling off their information as an added bonus. But hey, they do have a refund policy.

B.Kilrea
Threat Analyst