mariposa botnet briefing mariposa
play

Mariposa Botnet Briefing MARIPOSA Current State Three arrests have - PowerPoint PPT Presentation

Sep 11, 2022 •21 likes •211 views

Mariposa Botnet Briefing MARIPOSA Current State Three arrests have been made... Over 1,000,000 personal credentials recovered thus far during investigation Since March 3rd - 903 international news stories have been published about

  1. Mariposa Botnet Briefing

  2. MARIPOSA Current State • Three arrests have been made... • Over 1,000,000 personal credentials recovered thus far during investigation • Since March 3rd - 903 international news stories have been published about Mariposa • From Dec 23rd 2009 through March 7 2010 there have been 15,550,850 unique IPs connecting with the exact Mariposa connection string to the sinkhole

  3. MARIPOSA FAQ What Does it Do? Whatever it wants. The software behind Mariposa is engineered to gain access to and maintain control over the victim machine. The most lucrative use of the botnet is of course, data theft. Over 1 million stolen usernames, passwords, and banking details have been recovered from the machines of the botmasters. In 2008, data breaches led to the theft of 85 million personal records. - DataLoss DB

  4. MARIPOSA FAQ Who is responsible? Currently there have been three arrests in relation to Mariposa. How does it spread? By default, the malware is designed to spread across instant messenger programs, USB keys, and P2P networks. It will also exploit older versions of IE6 to install the latest Mariposa binary without user interaction. In the last year, 70 of the top 100 most visited websites served malicious software or redirected users to malicious sites. - Websense

  5. MARIPOSA FAQ Why Mariposa? The primary kit behind the creation of Mariposa is called bfbot or the butterfly bot kit. We determined that the primary botmaster was in Spain, and Mariposa is Spanish for butterfly. As a bonus, calling someone a Mariposa is apparently an insult. What companies/organizations are compromised? While we will not disclose any compromised parties publicly, we can see all systems compromised by Mariposa. Of the Fortune 500, it would be easier for us to say who isn’t compromised. 3 out of 4 enterprises have undetected, compromised computers within their network. - Gartner Research Products

  6. MARIPOSA FAQ The biggest ever? - 15.5 million unique IP addresses

  7. MARIPOSA How we detected Mariposa 97% of malware uses DNS to locate its command and control • We use DNS to detect malware. • Strategically placed sensors on the Internet provide DNS visibility into more than a dozen countries. • Ground breaking behaviour analysis engine allows us to determine human vs. automated behaviour

  8. MARIPOSA Timeline January 2009 • Reports concerning the butterfly kit start hitting the web. “This thing...is one bad-mother.” - Rafal Los SPI Dynamics/HP May 2009 • Defence Intelligence notices the formation of a new botnet and starts to track it. June - July 2009 • Tracking establishes the growth of the botnet, little information on victims or perpetrators is known. The butterfly kit is not yet known to be the main compromise mechanism.

  9. MARIPOSA Timeline August - September 2009 • The size of the botnet warrants in-depth investigation. Critical/sensitive networks are identified. The butterfly kit is determined to be the main payload used to spread and maintain control of victims. • Defence Intelligence begins notifying organizations compromised by Mariposa. Notification was not as well received as we had hoped.

  10. MARIPOSA Timeline “You hacked my network!! - This is blackmail!!” “You’re lying! We use Symantec/McAfee/Trend/ etc.” “Who is this? You’re socially engineering me!” “What are you selling?” And a few times: “Thanks for the info, we found the machines and took care of them.”

  11. MARIPOSA Timeline • Only 6 of 41 AV Vendors detected it according to VirusTotal • The Canadian Bankers Association confirms presence within banks • The World Bank releases emerging threat snort signature based upon our binary analysis • Palo Alto Networks releases Wireshark plugins for detection based upon the same analysis

  12. MARIPOSA Timeline October - December 2009 • Start taking over command and control domains • In retaliation, C&C changes to defintelsucks.com,net,org • Track the bad guys (domain registrations, logins, email addresses) • Identify and enumerate victims through sink-holing of C&C channels • Information and evidence gathering for law enforcement

  13. MARIPOSA Timeline December 23, 2009 • MWG executes worldwide takedown of all remaining botnet C&C domains

  14. MARIPOSA Timeline January 22, 2010 • An entry level employee of a European domain registrar working with the MWG accepts a bribe from the botmaster to re-establish control of the botnet. January 25, 2010 • Guilty employee terminated, MWG regains control • DDoS against Defence Intelligence - over 900MB/sec (seen) sustained traffic sent to our network

  15. MARIPOSA Timeline January 26, 2010 - Now • Guardia Civil and the FBI execute search warrants and arrest primary botmaster. • Computing devices are seized and examined, additional participants are arrested by local law enforcement in their countries. • Binaries are distributed to AV companies to create signatures for complete (hopefully) remediation. March 3, 2010 • Spanish LE Hold press conference. • A complete technical analysis is completed.

  16. MARIPOSA Why didn’t the big guys detect this? • Modern malware is designed specifically to avoid detection. This is big business, usually funded by international criminal organizations. • Modern malware updates on average, every 24 hours - AV signatures often take weeks. • The security industry is trying to apply outdated technology and methodology to a threat which has evolved.

  17. MARIPOSA “Less sophisticated cybercriminals still use attacks that AV vendors can catch, but signature-based AV tools are becoming ineffective as fine targeting and one-time packing techniques now dominate commercial malware activities. Traditional tools will be even less relevant as the threatscape shifts.” - McAfee 1,450 Infected files which one or more anti-virus engines failed to detect Infected files detected by all anti-virus engines 67,703 * virustotal.com January 5, 2010

  18. MARIPOSA Anti-Virus • Malicious software generally employs AV detection or evasion. Advanced forms of these techniques disable AV protection entirely. • The amount of malware to process has become overwhelming for every anti-virus company - 50 000 binaries/day - Shadowserver • Modern malware updates on average every 24 hours - Perpetual 0 Day • The major AV vendors have a combined proactive detection rate of 45% - AV Comparatives “The most popular brands of anti-virus have an 80% miss rate. That is not a detection rate, that is a miss rate.” - Australian Computer Emergency Response Team

  19. MARIPOSA Lessons Learned Fighting Malware is all ours responsibility! • If we have to wait for a court order, the bad guys will win. Every time. • As long as Malware uses DNS, we should use DNS to fight Malware. • CyberCriminals make more money than drug traffickers. Every country is losing money to these guys. Domain ReDirection • Sinkholes enable remediation and damage control. • Sinkholes allow us to truly understand a given botnet. You can’t prevent something you don’t understand.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Outline Economics in Mariposa Apply a microeconomic paradigm for 1. Assumptions for DDBMS

1 Outline Economics in Mariposa Apply a microeconomic paradigm for 1. Assumptions for DDBMS

Why is Mariposa Important? Mariposa: A wide-area distributed database Wide-area ( WAN ) differ from Local-area ( LAN ) databases. Each individual site is set up differently: with different access methods. with different data

332 views • 5 slides
State Route 189 (Mariposa Road) International Border to Grand Avenue Public Meeting Nogales High

State Route 189 (Mariposa Road) International Border to Grand Avenue Public Meeting Nogales High

State Route 189 (Mariposa Road) International Border to Grand Avenue Public Meeting Nogales High School February 20 th , 2020 1 Project Need The Mariposa Port of Entry is one of the busiest cargo ports along the U.S.- Mexico border and traffic

106 views • 10 slides
Mariposa Land Port of Entry Project Border Liaison Mechanism (BLM) Meeting March 14, 2013 1

Mariposa Land Port of Entry Project Border Liaison Mechanism (BLM) Meeting March 14, 2013 1

Mariposa Land Port of Entry Project Border Liaison Mechanism (BLM) Meeting March 14, 2013 1 Mariposa Land Port of Entry Project Project Schedule and Progress 2 Mariposa Land Port of Entry, Nogales, Arizona Project Schedule Phase 2: September

346 views • 22 slides
E conomics 101 Demand and Supply Equilibrium (think load balancing) What is D in D

E conomics 101 Demand and Supply Equilibrium (think load balancing) What is D in D

O utline Introduction Food for thought Mariposa: a wide-area distributed Economics 101 database system Paper - background Previous assumptions Key issues with assumptions New requirements M. Stonebraker et al.

264 views • 5 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday, March 11, 12 Introduction Chris Davis Emerging Threats & University of Toronto Fellow IPTrust, DefIntel, Damballa... Mariposa, Conficker,

158 views • 15 slides
OLD DOGS, NEW MATH ARIZONAS COLLEGE AND Kyrene S chool Di strict CAREER READINESS M arch 2

OLD DOGS, NEW MATH ARIZONAS COLLEGE AND Kyrene S chool Di strict CAREER READINESS M arch 2

OLD DOGS, NEW MATH ARIZONAS COLLEGE AND Kyrene S chool Di strict CAREER READINESS M arch 2 6, 2 0 15 STANDARDS (AZCCRS) Alison Gaedke Math Coach *Lagos *Mariposa http: p://w /www.kyrene ne.org/Page/333 3365 MAIN TOPICS 1) What are

998 views • 42 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Bachelors in Elementary Education Masters in Curriculum and Instruction Gifted Course Focus

Bachelors in Elementary Education Masters in Curriculum and Instruction Gifted Course Focus

Education: Mariposa Gifted Program alumna Bachelors in Elementary Education Masters in Curriculum and Instruction Gifted Course Focus and Thesis Gifted Endorsement Experience: 9 years in education (all in Kyrene) Gifted

199 views • 15 slides
Plant List for Rick and Monica Alatorres Garden, Richmond Bold text = perennial Unbold text =

Plant List for Rick and Monica Alatorres Garden, Richmond Bold text = perennial Unbold text =

Plant List for Rick and Monica Alatorres Garden, Richmond Bold text = perennial Unbold text = annual Key: Achillea Moonshine, Calochortus plummerae, Claytonia sibirica, Candy Yarrow Plummers Mariposa Flower Lily

44 views • 3 slides
2018 Stars of Life Celebration April 30, 2018 Sheraton Grand Sacramento Sacramento, CA Roesli

2018 Stars of Life Celebration April 30, 2018 Sheraton Grand Sacramento Sacramento, CA Roesli

2018 Stars of Life Celebration April 30, 2018 Sheraton Grand Sacramento Sacramento, CA Roesli Roos Antonis Paramedic Paramedics Plus San Leandro Michael Philley Paramedic Mercy Medical Transportation Mariposa Jose Avila EMT

788 views • 40 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
SEIU Local 521 Membership Survey April 11 May 6, 2016 Retirees, Child Care Region 5: Kern,

SEIU Local 521 Membership Survey April 11 May 6, 2016 Retirees, Child Care Region 5: Kern,

SEIU Local 521 Membership Survey April 11 May 6, 2016 Retirees, Child Care Region 5: Kern, Region 4: Fresno Workers, Etc. Kings & Tulare 158 & Madera 47 114 Region 3: Mariposa, Merced & Stanislaus 40 Region 1: Santa

103 views • 8 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Refugee Befriending Service Market Engagement Event Refugee Integration Team Lancashire County

Refugee Befriending Service Market Engagement Event Refugee Integration Team Lancashire County

Provision of the Lancashire Refugee Befriending Service Market Engagement Event Refugee Integration Team Lancashire County Council 19 March 2019, 1pm 4pm Agenda Time Item Speaker 12:45 Sign in and Refreshments Welcome Introduction

791 views • 59 slides
PPI PENSIONS POLICY INSTITUTE Tax relief for pension saving in the UK Chris Curry, PPI Director

PPI PENSIONS POLICY INSTITUTE Tax relief for pension saving in the UK Chris Curry, PPI Director

PPI PENSIONS POLICY INSTITUTE Tax relief for pension saving in the UK Chris Curry, PPI Director Pensions Policy Institute 15 July 2013 www.pensionspolicyinstitute.org.uk PPI Wed like to thank PENSIONS POLICY INSTITUTE our sponsors...

554 views • 29 slides
Battersea Site Community Liaison Group 01.02.17 Battersea Update Oct 16 Jan 17 Crossover

Battersea Site Community Liaison Group 01.02.17 Battersea Update Oct 16 Jan 17 Crossover

Northern Line Extension Battersea Site Community Liaison Group 01.02.17 Battersea Update Oct 16 Jan 17 Crossover Box 2 Battersea Update Oct 16 Jan 17 SCL TBM Launch Tunnels 3 Battersea Update Oct 16 Jan 17 Station Box

470 views • 20 slides
in-destination experiences platform Claudio Bellinzona COO & Co-Founder What do travellers

in-destination experiences platform Claudio Bellinzona COO & Co-Founder What do travellers

The complete in-destination experiences platform Claudio Bellinzona COO & Co-Founder What do travellers really want? What do travellers really want? To be a Local Tourist Local tourist Easy of discovery across top attractions

583 views • 29 slides
Kinnegad Action Plan Kinnegad Steering Group 22 March 2019 1 2 Agenda 1. Introduction

Kinnegad Action Plan Kinnegad Steering Group 22 March 2019 1 2 Agenda 1. Introduction

Kinnegad Action Plan Kinnegad Steering Group 22 March 2019 1 2 Agenda 1. Introduction Denis Leonard 2. Infrastructure (Killucan Station) Jimmy OConnell 3. Enterprise Richie Allen 4. Streetscape and Environment Melissa

685 views • 56 slides
MultiConVis: A Visual Text Analytics System for Exploring a Collection of Online Conversations

MultiConVis: A Visual Text Analytics System for Exploring a Collection of Online Conversations

Department of Computer Science University of British Columbia MultiConVis: A Visual Text Analytics System for Exploring a Collection of Online Conversations Enamul Hoque, Giuseppe Carenini {enamul, carenini}@cs.ubc.ca NLP group @ UBC Rise of

287 views • 27 slides
Karen DE SMET 24.10.2011 FAMHP FAMHP/kds/ 24.10.2011 F ederal A gency for M edecines and H

Karen DE SMET 24.10.2011 FAMHP FAMHP/kds/ 24.10.2011 F ederal A gency for M edecines and H

F ederal A gency for M edecines and H ealth P roducts F ederal A gency for M edicines and H ealth P roducts (FAMHP) Karen DE SMET 24.10.2011 FAMHP FAMHP/kds/ 24.10.2011 F ederal A gency for M edecines and H ealth P roducts Biosimilar

84 views • 7 slides
What do todays regulators and regulatees need to know? George Yarrow Regulatory Policy

What do todays regulators and regulatees need to know? George Yarrow Regulatory Policy

What do todays regulators and regulatees need to know? George Yarrow Regulatory Policy Institute, Oxford, UK www.rpieurope.org george.yarrow@rpieurope.org 1 The advertised brief Why and how do we regulate? What are the key skills

521 views • 12 slides

More recommend