Insights from the analysis of the Mariposa botnet

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Insights from the analysis of the Mariposa botnet
MariposaProtocol.png
Botnet Mariposa
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2010 / 2010
Editor/Conference
Link http://www.ncfta.ca/papers/InsightsFromTheAnalysisOfTheMariposaBotnet.pdf (Archive copy)
Author Prosenjit Sinha, Amine Boukhtouta, Victor Heber Belarde, Mourad Debbabi
Type

Abstract

Nowadays, botnets are among the topmost network

threats by combining innovative hacking capabilities. This is due to the fact that they are constantly improved by hackers to become more resilient against detection and debugging techniques. In this respect, we analyze one of the most prominent botnets, namely Mariposa, which infected more than 13 million computers that are located in more than 190 countries. In this regard, we analyze the botnet architecture, components, commands and communication. In this setting, we detail the obfuscation and anti-debugging techniques it uses. Moreover, we detail the infection and code-injection techniques into legitimate processes. In addition, we explain the spreading mechanisms that are employed in Mariposa as well as the underlying communication protocols. More importantly, we analyze the injected bot code. This is accomplished by a reverse engineering exercise that uses both a network analysis together with reverse-engineering analysis. The insights from this work are meant to illustrate the know-how used in current botnet technologies and enable the elaboration of analysis, detection and prevention techniques.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR1143,
   editor = {},
   author = {Prosenjit Sinha, Amine Boukhtouta, Victor Heber Belarde, Mourad Debbabi},
   title = {Insights from the analysis of the Mariposa botnet},
   date = {27},
   month = Apr,
   year = {2010},
   howpublished = {\url{http://www.ncfta.ca/papers/InsightsFromTheAnalysisOfTheMariposaBotnet.pdf}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=Insights_from_the_analysis_of_the_Mariposa_botnet&oldid=4835"