Mariposa FAQ.

Q. Who are the members of the Mariposa Working Group?
A. Defence Intelligence, Panda Security, Neustar, Directi, Georgia Tech Information Security Center and other security researchers who have asked not to be named.

Q. How big is the botnet ?
A. The exact figures for total compromised systems are difficult to pinpoint, however between December 23rd and February 9th over 11 million unique IPs were identified.

Q. What does it do?
A. Designed for information theft, Mariposa has stolen personal data from millions of compromised computers. Amongst this personal data was account information, usernames, passwords, and banking details. Additional malware downloaded by Mariposa has also been used in distributed denial of service attacks.

Q. Who is resonsible for it?
A. Iserdo who was recently arrested in Slovenia was the author of the Butterfly malware kit. The 3 people Spanish law enforcement arrested earlier, used that kit to create the Mariposa Botnet. Spanish authorities identified them by their Internet handles and their ages: "netkairo," 31; "jonyloleante," 30; and "ostiator," 25. .

Q. What banks/companies are involved? Who have you talked with?
A. The "botnet" of infected computers included PCs inside more than half of the Fortune 1,000 companies and more than 40 major banks, according to investigators. If you would like to know if you are compromised by Mariposa, click here.

Q. When did you find it?
A. We have been tracking Mariposa since May 2009.

Q. How does it spread?
A. By default, the malware is designed to spread across instant messenger programs, USB keys, and P2P networks. During our analysis we have observed attempts by the malware to spread using IE6 exploits.

Q. Why did my AV not detect this?
A. With over 200 variants, some of the Mariposa malware is currently detected and some is not. Coordination with antivirus companies is ongoing to ensure that their signatures are updated. Defence Intelligence products, Nemesis and Harbinger have the ability to protect networks from Mariposa and other botnets.

Q. How can it be detected and mitigated?
A. Snort rules and a Wireshark plugin are available to the right under "Mariposa Details." These are effective against only some variants of the Mariposa malware. Removal techniques will have to be determined by the individual until AV signatures are updated. For full compromise protection please refer to Nemesis Compromise Protection.

Q. What does Defence Intelligence do?
A. We specialize in compromise protection. Read more here

Defence Intelligence

Our unique approach to online threats, combined with innovative software and technology, provide your organization with a comprehensive and effective security solution.