Discerning relationships: the Mexican botnet connection

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Discerning relationships: the Mexican botnet connection
Botnet Tequila, Mariachi, Alebrije, Mehika
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2010 / 2010-09
Editor/Conference Trend Micro
Link http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp discerning-relationships mexican-botnet.pdf (Archive copy)
Author Ranieri Romera
Type White paper


This research paper will show the capabilities of the four members of the Botnet PHP family, so named because the toolkit used to build its member botnets used PHP script. PHP is a widely used general-purpose scripting language that is especially suited for Web development and that can be embedded into HTML.

The Botnet PHP family comprises four botnets, the most popular of which were the Tequila and Mariachi botnets that targeted Mexican users. The four botnets that made up the Botnet PHP family are:

  • Botnet PHP v1.0: More popularly known as the Tequila botnet.
  • Mini Botnet PHP v1.0: More popularly known as the Mariachi botnet.
  • Botnet PHP v2.0: More popularly known as the Alebrije botnet.
  • TwitterBot v1.0: More popularly known as the Mehika Twitter botnet.

The Botnet PHP family first made waves in the second half of May this year when more than 1,000 systems were infected in Mexico. Being the eighth country in the world with the most number of Internet hosts, the large infection number in just a short span of time put millions of systems at risk.

Though the Tequila botnet was subsequently taken down by its owners upon Trend Micro’s discovery, its rise to fame led to the creation of more botnets using the same toolkit. Over time, the Tequila botnet evolved with the addition, deletion, or modification of components using the Botnet PHP toolkit. In response, we will continue to monitor the activities of the criminal minds behind the Botnet PHP toolkit, as there is no telling how many other botnets have already been built or can be crafted with its help. After all, cybercriminals will stop at nothing to profit from their malicious schemes.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR1214,
   editor = {Trend Micro},
   author = {Ranieri Romera},
   title = {Discerning relationships: the Mexican botnet connection},
   date = {01},
   month = Sep,
   year = {2010},
   howpublished = {\url{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_discerning-relationships__mexican-botnet.pdf}},