Over the past month, we've been pulled in by customers to analyze various "weird" behavior on the network. One of these instances happened a few weeks ago. A large Fortune 200 customer was reviewing application usage on the network using the Palo Alto Networks devices and discovered that there were a few devices in globally disparate locations sending 7 byte UDP packets consistently to a few IP addresses. When we analyzed the traffic and IP addresses it was clear that they were clients infected with a bot. We quickly found a sample, analyzed it and released a signature to detect the command and control communication. We later came to find out that the aforementioned sample had been Mariposa. Mariposa is also known as Butterfly, Delf, Autorun, and Pilleuz. Mariposa has a few ways of spreading, via P2P applications, IM messages with links to infect other hosts, and copying itself to removable drives. The primary vector of propagation is the P2P method as it copies itself to the P2P shared directories of Ares, Bearshare, DC++, eMule, iMesh, Kazaa, LimeWire, and Shareaza.
When we compared 2 US universities of equal size (roughly 13,000 students each), we were intrigued to find that one institution with open application usage policies had roughly 250 infected clients (an infection rate of 2%). The other university has a more proactive approach to application usage on the network and actively uses the Palo Alto Networks devices to control usage of P2P applications. Their university has only seen a few infected clients. The difference is in the control of the P2P applications. If you can control applications, you can control the threats that ride in over those connections.
Control the application, control the threats.