Panda Security reports over 13 Million users affected by Mariposa Botnet

March 15, 2010 · Filed Under Internet Software, Security Software, Software News · Comment 

India, Mexico, Brazil and Korea Hardest Hit by Massive Attack

Following the worldwide shutdown of the Mariposa botnet last week, Panda Security reported today that the massive botnet had infected 13 million computers in 190 countries and 31,901 cities. The take down was the result of a collaborative operation spearheaded by Panda Security, Defence Intelligence, the FBI and Spanish Guardia Civil, resulting in three arrests.

According to Luis Corrons, Technical Director of PandaLabs, “The highest infection ratios are found in countries where computer security education is not a priority. However, in countries where cyber security awareness campaigns have been prioritized over the last few years, like the United States, Germany, UK and Japan, the number of infections was significantly lower.”

The cities most affected by Mariposa were Seoul (5.36 percent of compromised IP addresses), Bombay (4.45 percent) and New Delhi (4.27 percent). The top 10 infected cities are as follows:

1 Seoul 5.36%
2 Bombay 4.45%
3 New Delhi 4.27%
4 Mexico City 3.89%
5 Bogota 2.68%
6 Lima 1.98%
7 Kiev 1.68%
8 Bangalore 1.39%
9 Islamabad 1.24%
10 Tehran 1.23%

When looking at the infection rate by country, India leads the ranking (19.14 percent of all infections), followed by Mexico (with 12.85 percent) and Brazil (7.74 percent). The U.S. ranked 20th out of the 190 countries where computers were infected (with 1.05 percent).

The top 10 infected countries are as follows:

Country %
1 INDIA 19.14
2 MEXICO 12,85
3 BRAZIL 7.74
4 KOREA 7.24
5 COLOMBIA 4.94
6 RUSSIA 3.14
7 EGYPT 2.99
8 MALAYSIA 2.86
9 UKRAINE 2.69
10 PAKISTAN 2.55

An image of the above Mariposa infection breakdown by country can be found at http://www.flickr.com/photos/panda_security/4419015337/.

“The coordinated effort of all Mariposa Working Group members led to the worldwide shutdown of the Mariposa botnet on December 23 at 11:00 am ET. On that date, we seized control of the communication channels used by Mariposa, effectively severing the botnet from its criminal creators and redirecting all requests to a server controlled by us. At that time we realized the huge number of IP addresses controlled by the bot, almost 13 million, and determined the astonishing number of affected countries and cities. The compromised IP addresses include personal, government and corporate computers,” explains Corrons.

An image of the global infection map can be found here: http://www.flickr.com/photos/panda_security/4419780176/.

The Georgia Institute of Technology has plotted the progress of the Mariposa Botnet in an animation available at http://fritz.cc.gt.atl.ga.us/mariposa/mariposa_major_victim_areas.avi. According to David Dagon, Ph.D. Candidate at the Georgia Institute of Technology, “I think a remarkable aspect of this botnet is that it reverses the normal expectations about infections. Usually, the press tells us that ‘eastern’ botmasters are attacking ‘western’ victims. In Mariposa’s case, we tend to see the opposite: some botmasters in the west, and victims in the east. The lesson learned is that we all face a common threat.”

Panda Security recommends that all users – home users and companies alike – perform an in-depth scan of their computers to make sure they are not infected by the Mariposa bot. Individuals and businesses can do so by using the company’s free online scanner Panda ActiveScan or downloading its free cloud-based antivirus service Panda Cloud Antivirus from www.cloudantivirus.com.

Tags: ,

Panda Security and Defence Intelligence coordinate massive botnet shutdown with international law enforcement

March 4, 2010 · Filed Under Security Software, Software News · Comment 

Collaborative cybercrime investigation results in three arrests, more pending

Personal and financial data compromised from massive cyber attack impacting nearly 13 million unique IP addresses, 50 percent of Fortune 1000 companies

Preliminary damages estimated to be in the millions of dollars

According to IT security firms Panda Security and Defence Intelligence, the Mariposa botnet, a massive network of infected computers designed to steal sensitive information, has been shutdown and three suspected criminals accused of operating the botnet have been arrested by Spanish law enforcement. Mariposa stole account information for social media sites and other online email services, usernames and passwords, banking credentials, and credit card data through infiltrating an estimated 12.7 million compromised personal, corporate, government and university IP addresses in more than 190 countries. The botnet was shutdown and rendered inactive on December 23rd, 2009 thanks to the collaborative effort of different security experts and law enforcement, including Panda Security, Defence Intelligence, the FBI and Spanish Guardia Civil.

With almost 13 million compromised computers, Mariposa is one of the largest botnets ever reported on record. Christopher Davis, CEO for Defence Intelligence, who first discovered the Mariposa botnet, explains: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

Following the discovery of Mariposa’s existence in May 2009, Defence Intelligence, Panda Security and the Georgia Tech Information Security Center spearheaded the Mariposa Working Group as a collaborative effort with other international security experts and law enforcement agencies to eradicate the botnet and bring the perpetrators to justice. The main botmaster, nicknamed “Netkairo” and “hamlet1917″, as well as his immediate botnet operator partners, “Ostiator” and “Johnyloleante”, were arrested earlier this month.

Pedro Bustamante, senior research advisor at Panda Security, said: “Our preliminary analysis indicates that the botmasters did not have advanced hacking skills. This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss. We’re extremely proud of the coordinated effort made by all of the Mariposa Working Group members and the speed at which we were able to bring down this massive botnet and the criminals behind it.”

Late last year, the Mariposa Working Group infiltrated the command-and-control structure of Mariposa to observe the communication channels used by the suspected botmasters. These channels relay information from the compromised computers to the perpetrators and are commonplace, similar to those used by the Zeus, Conficker and Koobface botnets or as shown recently in the Google/Aurora operation. After analyzing the main command-and-control servers the Working Group was able to facilitate the coordinated worldwide shutdown of the Mariposa Botnet on December 23rd. Panda Security is currently leading a comprehensive analysis of the malware, as well as coordinating international communication among other antivirus companies to ensure that their signatures are updated.

Highlights from Panda Security’s preliminary analysis include:

– Once infected by the Mariposa bot client, the botmaster installed different malware (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc.) in order to gain additional functionality into the zombie PCs.
– The botmaster made money by selling parts of the botnet, installing pay-per-install toolbars, selling stolen credentials for online services and using the stolen banking credentials and credit cards to make transactions to overseas mules.
– The Mariposa botnet spread extremely effectively via P2P networks, USB drives, and MSN links.

A more comprehensive report from Panda Security’s forensic analysis will be available at http://pandalabs.pandasecurity.com/ shortly. In the meantime a short description of the Mariposa botnet software can be found at http://www.pandasecurity.com/homeusers/security-info/217587/ButterflyBot.A.

“Once again, the coordinated efforts of various international law enforcement agencies and Spain’s Guardia Civil, together with the Internet security industry, have been able to tackle the global threat of cyber-crime,” said Juan Salom, commander of the Cybercrime Unit of the Guardia Civil.

According to Dave Dagon at the Georgia Tech Information Security Center: “Instead of making pie charts, we should treat a botnet as a crime scene and not just a research project.”

The Mariposa Working Group has officially seized control of the communication channels used by Mariposa, effectively severing the botnet from its criminal creators. In an apparent act of retaliation, a Distributed Denial of Service (DDoS) attack was initiated against Defence Intelligence shortly after the botnet was shut down in December. The attack was powerful enough to impact one large Internet Service Provider, many of whose customers were knocked offline for several hours.

According to a representative from CDmon, the ISP that collaborated in the investigation and where the criminal domains were hosted: “We are pleased to have been able to support this international operation, along with the Spanish Guardia Civil, Panda Security, Defence Intelligence and other law enforcement agencies, and to help bring down the botnet. CDmon is strongly committed to the concept of quality Internet, guaranteeing standards of quality and security across all our services. This collaborative effort is a big win in the fight against cybercrime.”

“We will continue to fight the threat of botnets and the criminals behind them,” says Davis. “We’ll start by dismantling their infrastructure and won’t stop until they’re standing in front of a judge.”

Defence Intelligence and Panda Security are attempting to contact affected organizations. To find out if your organization has been compromised, contact compromise@defintel.com or info@pandasecurity.com.

Tags: , , , , , , , ,