As a follow up to last week’s post regarding Mariposa infection research, Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark. The software is available to all as open source software under the GNU GPL license. We hope that it helps in doing further investigation and research into the Mariposa botnet. Special thanks to Defence Intelligence for their analysis on Mariposa.
Read on for information on installing and using the plugin.
The project is hosted here on Google Code.
Unzip the mariposa.zip file. There will be 3 files – mariposa.dll, the source file, and packet-mariposa.c. Copy the DLL into the wireshark plugin directory. For example, d:\wireshark\plugin. The code was compiled based on Wireshark version 1.2.2. It may work on previous versions, but there are no guarantees.
Restart Wireshark. Open a PCAP of the Mariposa command and control traffic. Locate the traffic which you want to decypt, right-click and select Decode As…
A dialog box will appear (on the Transport tab) and you will get a list on the right side of the dialog box. Search and choose MARIPOSA and click Apply.
“MARIPOSA” will now appear as the protocol for the associated traffic.
In the Wireshark Packet Detail window, there is a tree named MARIPOSA Protocol, you will find Opcode, Seq, Original Data, Decrypted Data, BOT cmd, BOT cmd Content items. The Decrypted Data is probably the most interesting. Click on it to view the decrypted data.
Mariposa pulling a file down from Rapidshare
Receiving attack instructions
A confirmation message from the infected client to the command and control server - "Flood running"