Endpoint Protection

 View Only

The Mariposa / Butterfly Bot Kit 

Oct 07, 2009 05:00 PM

We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):

a) Features of bot base

1. Polymorphic code and strings
    code related to bot functionality is encoded
    everytime with different key, same goes for
2. Installation into hidden location
    installs into location where it is impossible
    to access with windows explorer
3. Direct code injection into explorer.exe (DCI)
    injects whole bot into remote process without
    leaving any .dll behind
4. Registry startup method
    method that works on all winnt versions,
    including limited accounts (guest)
5. Executable file guard
    when bot is running (injected), bot file can
    not be deleted
6. Process monitor
    small code injected into another non-explorer.exe
    process which monitors explorer.exe; if explorer
    crashes, the bot is restarted and can reinject
    code into explorer.exe
7. Anti-x
    anti vmware, virtualpc, debugger 1 & 2, anubis,
    TE, sandbox, norman sandbox, sunbelt sandbox
8. Own protocol
    udp (no connections logged), acks and sequences
    so packets are reliable transmitted, encoded traffic,
    bitstreams, unlimited number of clients supported
9. Download/update/remove
10. TCP (SYN) and UDP flood
11. Firefox 2.x, Firefox 3.x password harvesting
12. Internet Explorer 6, Internet Explorer 7 password harvesting
13. Reverse Socks4, Socks5, HTTP socks

b) features of spreaders

1:MSN spreader
    hooks send function in msnmsgr process and hijack
    certain message, replacing it with custom link,
    msn process monitor (waits for msnmsgr, checks if
    same msnmsgr process running, else restart spreader)

2:P2P spreader
    supports: ares, bearshare, imesh, shareaza, kazaa,
    dcplusplus, emule, emuleplus, limewire
    obtains sharing folder out of registry or config
    files (100% accurate sharing folders)
    option to autospread with names of latest warez files
    obtained from certain warez website.

3:USB spreader
    using windows messages to get informed when usb device
    has been inserted; the spreader is very very fast and
    it locks down autorun.inf file even before explorer.exe
    can read it to launch autorun (so no other malware
    can infect infected machine via usb spreading). the
    autorun.inf file stays locked from reading or deleting
    until user decides to safely remove device from the system

Symantec has confirmed some of the capabilities mentioned to be correct, but as of yet has not confirmed them all. The screenshot below is from our analysis and shows a newly infected system joining the botnet through the Butterfly master console:


To date, Symantec data shows the following breakdown of the top 10 countries reporting infections due to the Butterfly bot kit:


As stated in our previous blog, Symantec detects this threat as W32.Pilleuz. It may also be detected as Packed.Generic.248 and Packed.Generic.255.


0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.