We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):
a) Features of bot base
1. Polymorphic code and strings
code related to bot functionality is encoded
everytime with different key, same goes for
strings
2. Installation into hidden location
installs into location where it is impossible
to access with windows explorer
3. Direct code injection into explorer.exe (DCI)
injects whole bot into remote process without
leaving any .dll behind
4. Registry startup method
method that works on all winnt versions,
including limited accounts (guest)
5. Executable file guard
when bot is running (injected), bot file can
not be deleted
6. Process monitor
small code injected into another non-explorer.exe
process which monitors explorer.exe; if explorer
crashes, the bot is restarted and can reinject
code into explorer.exe
7. Anti-x
anti vmware, virtualpc, debugger 1 & 2, anubis,
TE, sandbox, norman sandbox, sunbelt sandbox
8. Own protocol
udp (no connections logged), acks and sequences
so packets are reliable transmitted, encoded traffic,
bitstreams, unlimited number of clients supported
9. Download/update/remove
10. TCP (SYN) and UDP flood
11. Firefox 2.x, Firefox 3.x password harvesting
12. Internet Explorer 6, Internet Explorer 7 password harvesting
13. Reverse Socks4, Socks5, HTTP socks
b) features of spreaders
1:MSN spreader
hooks send function in msnmsgr process and hijack
certain message, replacing it with custom link,
msn process monitor (waits for msnmsgr, checks if
same msnmsgr process running, else restart spreader)
2:P2P spreader
supports: ares, bearshare, imesh, shareaza, kazaa,
dcplusplus, emule, emuleplus, limewire
obtains sharing folder out of registry or config
files (100% accurate sharing folders)
option to autospread with names of latest warez files
obtained from certain warez website.
3:USB spreader
using windows messages to get informed when usb device
has been inserted; the spreader is very very fast and
it locks down autorun.inf file even before explorer.exe
can read it to launch autorun (so no other malware
can infect infected machine via usb spreading). the
autorun.inf file stays locked from reading or deleting
until user decides to safely remove device from the system
Symantec has confirmed some of the capabilities mentioned to be correct, but as of yet has not confirmed them all. The screenshot below is from our analysis and shows a newly infected system joining the botnet through the Butterfly master console:
To date, Symantec data shows the following breakdown of the top 10 countries reporting infections due to the Butterfly bot kit:
As stated in our previous blog, Symantec detects this threat as W32.Pilleuz. It may also be detected as Packed.Generic.248 and Packed.Generic.255.