Insights from the analysis of the Mariposa botnet

Nowadays, botnets are among the topmost network threats by combining innovative hacking capabilities. This is due to the fact that they are constantly improved by hackers to become more resilient against detection and debugging techniques. In this respect, we analyze one of the most prominent botnets, namely Mariposa, which infected more than 13 million computers that are located in more than 190 countries. In this regard, we analyze the botnet architecture, components, commands and communication. In this setting, we detail the obfuscation and anti-debugging techniques it uses. Moreover, we detail the infection and code-injection techniques into legitimate processes. In addition, we explain the spreading mechanisms that are employed in Mariposa as well as the underlying communication protocols. More importantly, we analyze the injected bot code. This is accomplished by a reverse engineering exercise that uses both a network analysis together with reverse-engineering analysis. The insights from this work are meant to illustrate the know-how used in current botnet technologies and enable the elaboration of analysis, detection and prevention techniques.