The resurrection of the Mariposa botnet
Posted on 26.05.2011
When the news that the Spanish police arrested the three individuals suspected of running the Mariposa botnet was made public back in March 2010, it was generally thought that it might be the end of the line for one of the largest botnets ever reported on record.

The size of the botnet - almost 13 million compromised computers in over 190 world countries - was due to the exceptional propagation ability of the Palevo worm variant used to infect and enslave the individual computers. It spread through P2P networks and via instant messages. It copied itself on removable storage devices and network shares.

But, as we have learned from past experiences, a botnet is not completely destroyed until the last of its C&Cs is taken offline, and Mariposa's wasn't.

And now, according to Trend Micro researchers, the botnet is making a comeback.

They detected an increased activity of the Palevo worm at the end of last year, and have checked with to see if there were any active Mariposa C&C servers. It turns out, there are 115.

"We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same," say the researchers.

Palevo bots are mostly used for DDoS attacks and as downloaders for other malicious files, but can also have modules for monitoring and hijacking browsers and cookie stuffing.


Stagefright 2.0: A billion Android devices could be compromised

Most Android users are, once again, in danger of having their devices compromised by simply previewing specially crafted MP3 or MP4 files.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 2nd