Endpoint Protection

Saw this article today and I am trying to find more info.   Does anyone know if Symantec detects it yet?

http://www.foxnews.com/story/0,2933,555901,00.html

Botnet is going by the name of Mariposa and according to the article there are many variants and most AV product do not detect it.  So far I have not found much out on it out side of this article

Hi,

From what I have read, this botnet is believed to be created from Butterfly Bot Kit.

There isnt much info on this particular threat. I will look into this and post an update sometime today.

Best,
Aniket

I am hearing very little ont his but the article was enough to cause some concern.

Hi Rick,

This news item has been getting a lot of press lately.  Symantec is aware of it and our Security Response team is currently investigating.  

Often times, these threats are already detected by varius AV vendors, but under a different name.  

I believe from a bit of reading that the file to watch out for at present is called sysdate.exe.  Here's a link with a little more info on it from threatexpert.com : http://www.threatexpert.com/files/sysdate.exe.html

As soon as an analysis of the threat / toolkit / botnet / all components involved is complete, there will no doubt be more news on Symantec's Security Response site.  Stay tuned!

In the meantime: here's a very good article about another botnet to be aware of: Zeus.  https://www-secure.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits  The video is an excellent illustration of the danger that is currently in circulation from these botnets. 

Thanks and best regards

Mick

I want to know if we're covered or not ??

Mariposa is the name that one particular vendor uses for this threat.  It does not appear to be a name that any other vendor is using. If it becomes a name in common usage we will look to change the name of our signatures.

It is not a single threat, but one with many variants.  Symantec does have protection from the many variants of this threat with W32.SillyFDC signatures.  We have been detecting the variants that uses the sysdate file since January of this year.  

A technical write-up on  "Mariposa" can be read here: http://www.symantec.com/security_response/writeup.jsp?docid=2009-080707-4052-99


Kevin

Hi Rick,

I recalled taht you were interested in this topic, and thought you might like to know that Security Response have just written a new post specifically on  The Mariposa Butterfly

To distinguish this particular family from W32.SillyFDC in general, a new designation has been created: W32.Pilleuz.  All the details are linked off the new blog post!

Thanks and best regards,

Mick

Here's a quote from a blog we wrote awhile back when we first announced Mariposa. It should help with understanding the botnet name versus the malware involved:

"Our naming of this botnet as Mariposa has been a cause of concern for some. The confusion comes when antivirus companies or those using antivirus, search for the Mariposa name only to find no results. This is because Mariposa refers to the botnet and not the malware it utilizes."

The entire blog is available here:
Mariposa Defined

A lot of other questions and a link to a more detailed analysis is available here:
www.defintel.com

Hope that helps,

Matt