A new information-stealing botnet is on the loose in corporate America, having infected at least 50 of the Fortune 100.
Security experts have identified over 70 variants of the virus with varying purposes, including email address harvesting, injecting code into known system processes, and surreptitiously downloading malware onto corporate computers and networks.
Canadian information security firm Defence Intelligence has tagged the virus as Mariposa and claims to have identified its activity in tens of thousands of unique corporate networks since its discovery in May of 2009.
"The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection," speculates the firm, "but it does not reveal the number of controllers or the exact motivation behind the overall threat."
Antivirus giant Trend Micro thinks this may be a new twist on an older threat. Paul Ferguson, Senior Threat Researcher with the company, describes it as "one of those smaller, more obscure botnets. The insidious thing about botnets—especially those that fly under the radar—is that the possibility is much greater of data being stolen by criminals," since the threat is relatively unknown.
This one could be especially problematic for corporate security, notes Michael Fitzpatrick, president of information risk management consultancy NCX Group. He points out that the bot appears to operate in a unique method, by flooding the UDP traffic on a network.
"That's usually traffic for your logs, for the routers and switches in the network," explains Fitzpatrick. "This would flood the logs, and this malware may be using that fact to mask and disguise what's actually happening."
In addition, this threat is very complex, working in multiple ways: running automatically from USB sticks, through an Internet-based update module, and across the MSN Messenger chat network, plus there's a command and control interface to talk to other elements.
The potential for hidden botnets savaging unguided through corporate networks is a scary one, but at this point, there's little information about the potential danger of this one. Still, better safe than sorry, notes Fitzpatrick, who suggests that IT pros keep an ear to the ground. After all, everyone has heard of the big name threats, such as Confiker. "There are lots of little, small, specially crafted botnets that fly under the radar. And they're really the danger."