Wireshark Plugin for Mariposa Botnet Command and Control

As a follow up to last week’s post regarding Mariposa infection research, Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark. The software is available to all as open source software under the GNU GPL license. We hope that it helps in doing further investigation and research into the Mariposa botnet. Special thanks to Defence Intelligence for their analysis on Mariposa.
Read on for information on installing and using the plugin.
Where to get it
The project is hosted here on Google Code.
How to install it
Unzip the mariposa.zip file. There will be 3 files – mariposa.dll, the source file, and packet-mariposa.c. Copy the DLL into the wireshark plugin directory. For example, d:\wireshark\plugin. The code was compiled based on Wireshark version 1.2.2. It may work on previous versions, but there are no guarantees.
How to use it
Restart Wireshark. Open a PCAP of the Mariposa command and control traffic. Locate the traffic which you want to decypt, right-click and select Decode As…

A dialog box will appear (on the Transport tab) and you will get a list on the right side of the dialog box. Search and choose MARIPOSA and click Apply. (continue reading...)