Skip to content

Mariposa Botnet Uses AutoRun Worms to Spread

by Trend Micro Employee ‎03-14-2010 10:27 PM - edited ‎03-14-2010 11:17 PM

The Threat Defined


Clipping Mariposa's Wings


Though the Mariposa botnet first became known as early as the second quarter of 2009, it has been in existence as early as December 2008. Typically, botnets carry with them binaries or malicious files that their perpetrators use for various purposes. As the botnet took flight toward notoriety, Trend Micro threat analysts found WORM_AUTORUN.ZRO, a worm retrieved from compromised systems that were found to be part of the Mariposa botnet. This worm has the ability to spread via instant-messaging (IM) applications, peer-to-peer (P2P) networks, and removable drives. Some binaries were also capable of spreading by exploiting a vulnerability in Internet Explorer (IE).



Adapted from:

Figure 1. Mariposa-infected systems worldwide


Defence Intelligence, a privately held information security firm specializing in compromise prevention and detection, collaborated with other security companies and researchers upon spotting the Mariposa botnet to give birth to the Mariposa Working Group (MWG). Last month, local and international authorities with the help of the MWG arrested three Mariposa botnet administrators known as "netkairo," "jonyloleante," and "ostiator."


Flying Free on a Cybercrime Spree


Just like any other botnet, Dias de Pesadilla (DDP), aka the Nightmare Days Team, used Mariposa to make money. Experts found out that this botnet is being used to steal information (e.g., credit card numbers, bank account details, user names and passwords to social-networking sites, and important files found on affected systems’ hard drives), which cybercriminals can use in a number of ways. Experts also found that DDP stole money directly from banks using money mules in the United States and Canada.



Figure 2. WORM_AUTORUN.ZRO infection diagram


Further digging into Mariposa's business model revealed that its administrators also offered underground services to potential clients. Some of these services include hacking servers to take control, encrypting bots to make them invisible to security applications, and creating anonymous VPN connections to administer bots. Parts of the Mariposa botnet are also rented out to other administrators and organizations to serve their underground business needs.


User Risks and Exposure


More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, what users should be most wary of are information stealers that compromise not just banking information but also a user’s identity. As such, users are advised to keep their security solutions updated at all times.


Users also need to exercise caution when visiting malicious websites purporting to be legitimate to avoid system infections. Finally, Mariposa binaries are automatically executed when introduced to a system via removable devices. As such, users should disable Windows’ AutoRun feature to prevent programs on such drives from automatically running on their systems. To maximize the security of removable drives, read "How to Maximize the Malware Protection of Your Removable Drives."


Trend Micro Solutions and Recommendations


Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client content security infrastructure that automatically blocks threats before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity.


Smart Protection Network™ protects users from Mariposa botnet-related attacks by detecting and preventing the execution of WORM_AUTORUN.ZRO via the file reputation service. Non-Trend Micro product users can also stay protected with free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.


The following post at the TrendLabs Malware Blog discusses this threat:

The virus reports are found here:

Other related posts are found here: