Mariposa

Analysis

This botnet detection is for the activities of the Mariposa botnet, also known as Bflient or Butterfly.

When the bot communicates with its C&C server, it receives a list of browser window titles and a URL list. It then enumerates each of the infected user's windows to determine the title of each, then compares the titles against its list of window titles. If a window title matches one on the list - for example, a title belonging to a window of the Internet Explorer web browser - the malware randomly selects a URL from its URL list and opens it in a new browser window. All of the URLs in the list direct to advertising sites controlled by the attackers.

More details are available in this Virus Bulletin article.

Instructions

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.