Hi all, We've developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark. The software is available to all as open source software under the GNU GPL license. We hope that it helps in doing further investigation and research into the Mariposa botnet. Special thanks to Defence Intelligence for their analysis on Mariposa.
You can get more information for this tools on our blog at http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/ You can also get the source code and a Windows DLL from the google code at http://code.google.com/p/botnetdecoding/ Thanks, M.Yanagishita