Author Topic: Mariposa Stats  (Read 2582 times)

0 Members and 1 Guest are viewing this topic.

March 10, 2010, 05:24:39 pm
Read 2582 times


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

One of the most interesting things in order to know how the bot behind Mariposa has been spreading is to study the geographical distribution of the infections. Unlike other cases, the Mariposa Working Group stats donít come from scanning PCs. In order to avoid the DDP Team from controlling Mariposa, we managed to change the DNS of the C&C servers, so all the bots where redirected to a sinkhole. Thatís when we realized for the first time how huge was the botnet. We were able to see all the IP addresses of each and every bot that was trying to reach the C&C server to receive instructions. As you know, the number of IPs is not equivalent to the number of computers, as one computer can use multiple IP addresses, and many computers can use just 1 IP address (this usually happens in companies that connect to the Internet through a proxy server).
Ruining the bad guy's day