The resurrection of the Mariposa botnet

When the news that the Spanish police arrested the three individuals suspected of running the Mariposa botnet was made public back in March 2010, it was generally thought that it might be the end of the line for one of the largest botnets ever reported on record.

The size of the botnet – almost 13 million compromised computers in over 190 world countries – was due to the exceptional propagation ability of the Palevo worm variant used to infect and enslave the individual computers. It spread through P2P networks and via instant messages. It copied itself on removable storage devices and network shares.

But, as we have learned from past experiences, a botnet is not completely destroyed until the last of its C&Cs is taken offline, and Mariposa’s wasn’t.

And now, according to Trend Micro researchers, the botnet is making a comeback.

They detected an increased activity of the Palevo worm at the end of last year, and have checked with abuse.ch to see if there were any active Mariposa C&C servers. It turns out, there are 115.

“We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same,” say the researchers.

Palevo bots are mostly used for DDoS attacks and as downloaders for other malicious files, but can also have modules for monitoring and hijacking browsers and cookie stuffing.